Supreme Court: Articles 3, 6 and 8 ECHR in child protection PII case

Posted on | by Robin Hopkins

There have been a number of important privacy judgments in recent weeks, particularly concerning Article 8 ECHR in cases with child protection elements. I have blogged on two Court of Appeal judgments. In the matter of X and Y (Children) [2012] EWCA Civ 1500 (19 November 2012) (Pill, Touslon and Monby LJJ; appeal against a decision of Peter Jackson J in the Family Division) concerned the tension between Articles 8 and 10. A second, more recent Court of Appeal judgment in Durham County Council v Dunn [2012] EWCA Civ 1654 (13 December 2012) (Maurice Kay, Munby and Tomlinson LJJ; appeal against a decision of HHJ Armitage QC) focused on balancing competing rights under Articles 8 (private and family life) and 6 (fair trial).

The Supreme Court has this week handed down an important judgment of the latter variety (Articles 8 and 6, as well as an Article 3 claim) in Re A (A Child) [2012] UKSC 60 (12 December 2012) (Lady Hale, with whom Lords Neuberger, Clarke, Wilson and Reed agreed;  appeal against a decision of McFarlane, Thorpe and Hallett LJJ).

Lady Hale began by summarising the case thus:

“We are asked in this case to reconcile the irreconcilable. On the one hand, there is the interest of a vulnerable young woman (X) who made an allegation in confidence to the authorities that while she was a child she had been seriously sexually abused by the father of a little girl (A) who is now aged 10. On the other hand we have the interests of that little girl, her mother (M) and her father (F), in having that allegation properly investigated and tested. These interests are not only private to the people involved. There are also public interests, on the one hand, in maintaining the confidentiality of this kind of communication, and, on the other, in the fair and open conduct of legal disputes. On both sides there is a public interest in protecting both children and vulnerable young adults from the risk of harm.”

In essence, X made the allegations of past sexual abuse by F to the local authority, but did not wish to take action against F. She asserted her rightsto privacy and confidentiality under Article 8  and argued that disclosure of her identity and the details of her allegations would amount to inhuman or degrading treatment contrary to Article 3.

The local authority asserted public interest immunity from disclosure. Lady Hale held that, analysed in terms of common law principles, disclosure should be ordrerd despite the important public interest in preserving the confidence of people who come forward with allegations of child abuse. At paragraph 30, she said this:

“Those allegations have to be properly investigated and tested so that A can either be protected from any risk of harm which her father may present to her or can resume her normal relationship with him. That simply cannot be done without disclosing to the parents and to the Children’s Guardian the identity of X and the detail and history of the allegations which she has made.”

The same conclusion was reached by analysing the matter in Convention terms. X’s case was primarily based on Article 3. Lady Hale agreed with the Court of Appeal that disclosure would not violate those rights: “The context here is not only that the state is acting in support of some important public interests; it is also that X is currently under the specialist care of a consultant physician and a consultant psychiatrist, who will no doubt do their utmost to mitigate any further suffering which disclosure may cause her” (paragraph 32).

Leaving aside Article 3, Lady Hale concluded that the rights of C, M and F under Articles 8 and 6 outweighed the Article 8 rights of X in the circumstances. A closed procedure seeking to minimise the impact on X’s privacy was not possible here. Furthermore, disclosure would not automatically expose X to the trauma of cross-examination: medical evidence and other means of giving evidence could, for example, be appropriate.

The case is an illuminating instance of extremely strong privacy rights being trumped by a combination of the family life rights of others, and in particular their right to a fair trial. In particular, it illustrates how, when serious allegations are made against individuals, the notion of privacy can cut both ways.

Robin Hopkins

Universities and requests for lecturers’ private research: when will it be “held” by the University?

Posted on | by Julian Milford

The First-Tier Tribunal’s decision of 13 December 2012 in Montague v (1) Information Commissioner (2) Liverpool John Moores University EA/2012/0109 will be of interest to academic institutions, and any other public bodies whose employees have research interests not necessarily connected with their job. Anya Proops of 11KBW appeared for the University.

The Appellant Mr Montague asked Liverpool John Moores University for copies of emails sent by a senior lecturer at the University from his University email account, linked to his work with the Global Warming Policy Foundation (“GWPF”). The lecturer in question had worked at the University from November 1993 to July 2010 as a social anthropologist. In November 2009, he had become Director of the GWPF. The GWPF is a controversial organisation founded under the aegis of Lord Lawson, which promotes scepticism about man-made climate change.

The question at issue was whether the University “held” the information for the purposes of the Freedom of Information Act 2000 (“FOIA”), even if it was in fact contained in a university email account to which it had access.

Information is “held” by an authority for the purposes of FOIA if it is held by the authority “otherwise than on behalf of another person”, or is held by another person “on behalf of the authority”: see s.3(2) FOIA. That means mere physical possession of information is not enough to establish that information is “held”; it must also, to a sufficient extent, be meaningfully connected to the authority: see for example University of Newcastle v IC and BUAV [2011] UKUT 185 (AAC).

Both the University and the ICO considered that the University did not “hold” the information in this case, and the Tribunal agreed. The crucial point was that there was no connection between the lecturer’s private research for the GWPF, and the work he did within the University. The lecturer pursued the subject of global warming in his own free time, and exclusively in his own private interest. It had no bearing on his role as an academic employed in the University’s School of Sport and Exercise Science. The research was not funded by the University, and the University neither had any interest in the research nor sought to benefit from it. Since the emails were sent in a purely private and personal capacity, the University did not “hold” them.

This outcome is plainly in accordance with FOIA, and was perhaps inevitable on the facts. It should be of comfort to academic institutions whose lecturers pursue private interests. Of course, the situation would have been very different if the research had been connected in any way with the lecturer’s post. The decision can usefully be compared and contrasted with the ICO’s recent decision concerning emails sent by the Secretary of State for Education (Michael Gove) from his private email account. There, the information was in fact “held” by the Department for Education for the purposes of FOIA, even though the Department was not in physical possession of the information, because the ICO considered it concerned the business of the Department, rather than purely party political matters. The thread running through the two contrasting decisions is the same: what matters is not whether the authority actually has possession of the information, but whether the information has a substantial connection to its business.

Julian Milford

CPR disclosure applications: ignore the DPA; balance Articles 6 and 8 instead

Posted on | by Robin Hopkins

It is increasingly common for requests for disclosure in pre-action or other litigation correspondence to include a subject access request under section 7 of the Data Protection Act 1998. Litigants dissatisfied with the response to such requests often make applications for disclosure. Where an application is made in the usual way (i.e. under the CPR, rather than as a claim under section 7 of the DPA), how should it be approached? As a subject access request, with the “legal proceedings” exemption (section 35) arising for consideration, or as an “ordinary” disclosure application under CPR Rule 31? If the latter, what role (if any) do data protection rights play in the analysis of what should be disclosed?

As the Court of Appeal in Durham County Council v Dunn [2012] EWCA Civ 1654 observed in a judgment handed down today, there is much confusion and inconsistency of approach to these questions. Difficulties are exacerbated when the context is particularly sensitive – local authority social work records being a prime example. Anyone grappling with disclosure questions about records of that type will need to pay close attention to the Dunn judgment.

Background to the disclosure application

Mr Dunn alleged that he had suffered assaults and systemic negligence while in local authority care. He named individual perpetrators. He also said he had witnessed similar acts of violence being suffered by at other boys. He brought proceedings against the local authority. His solicitors asked for disclosure of various documents; included in the list of requested disclosure was the information to which Mr Dunn was entitled under section 7 of the DPA. Some documents were withheld from inspection, apparently on data protection grounds.

Mr Dunn made a disclosure application in the usual way, i.e. he did not bring a section 7 DPA claim. The District Judge assessed the application in data protection terms. He ordered disclosure with the redaction of names and addresses of residents of the care facility – but not those of staff members and other agents, who would not suffer the same stigmas or privacy incursions from such disclosure.

Mr Dunn said he could not pursue his claim properly without witnesses and, where appropriate, their contact details. He appealed successfully against the disclosure order. The order for redaction was overturned. The judge’s approach was to consider this under the CPR (this being a civil damages claim) – but to take the DPA into account as a distinct consideration in reaching his disclosure decision.

The relevance of the DPA

The Court of appeal upheld the use of the CPR as the correct regime for the analysis. It also upheld the appeal judge’s ultimate conclusion. It said, however, that he went wrong in treating the DPA as a distinct consideration when considering a disclosure application under the CPR. With such applications, the DPA is a distraction (paragraphs 21 and 23 of the judgment of Maurice Kay LJ). It is potentially “misleading to refer to a duty to protect data as if it were a category of exemption from disclosure or inspection. The true position is that CPR31, read as a whole, enables and requires the court to excuse disclosure or inspection on public interest grounds” (paragraph 21).

This was not to dismiss the usefulness of a subject access request to those contemplating litigation. See paragraph 16:

“I do not doubt that a person in the position of the claimant is entitled – before, during or without regard to legal proceedings – to make an access request pursuant to section 7. I also understand that such a request prior to the commencement of proceedings may be attractive to prospective claimants and their solicitors. It is significantly less expensive than an application to the Court for disclosure before the commencement of proceedings pursuant to CPR31.16. Such an access may result in sufficient disclosure to satisfy the prospective claimant’s immediate needs. However, it has its limitations. For one thing, the duty of the data controller under section 7 is not expressed in terms of disclosure of documents but refers to communication of “information” in “an intelligible form”. Although this may be achieved by disclosure of copies of original documents, possibly redacted pursuant to section 7(5), its seems to me that it may also be achievable without going that far. Secondly, if the data subject is dissatisfied by the response of the data controller, his remedy is by way of proceedings pursuant to section 7 which would be time-consuming and expensive in any event. They would also engage the CPR at that stage: Johnson v Medical Defence Union [2005] 1 WLR 750; [2004] EWCH 2509 (Ch).”

Instead, the CPR disclosure analysis should balance Article 6 and Article 8 rights in the context of the particular litigation.

Maurice Kay LJ summed up the requisite approach as follows:

“What does that approach require? First, obligations in relation to disclosure and inspection arise only when the relevance test is satisfied. Relevance can include “train of inquiry” points which are not merely fishing expeditions. This is a matter of fact, degree and proportionality. Secondly, if the relevance test is satisfied, it is for the party or person in possession of the document or who would be adversely affected by its disclosure or inspection to assert exemption from disclosure or inspection. Thirdly, any ensuing dispute falls to be determined ultimately by a balancing exercise, having regard to the fair trial rights of the party seeking disclosure or inspection and the privacy or confidentiality rights of the other party and any person whose rights may require protection. It will generally involve a consideration of competing ECHR rights. Fourthly, the denial of disclosure or inspection is limited to circumstances where such denial is strictly necessary. Fifthly, in some cases the balance may need to be struck by a limited or restricted order which respects a protected interest by such things as redaction, confidentiality rings, anonymity in the proceedings or other such order. Again, the limitation or restriction must satisfy the test of strict necessity.”

How to approach disclosure of social work records in litigation

This issue was dealt with by Munby LJ. In short, the main question was whether those seeking to withhold or redact social work records in litigation should analyse the issue in terms of public interest immunity (as some textbooks, older authorities and even the White Book appeared to suggest) or in terms of a balancing between competing rights under the ECHR (in particular, Articles 6 and 8).

Munby LJ made clear that the right answer is the latter. Where information contained in social work records is to be withheld in legal proceedings, this should not now be on the basis of a claim to public interest immunity; we are “a world away from 1970 or even 1989” (paragraph 43). This was despite the fact that “the casual reader of the White Book” (paragraph 31.3.33 in particular) could be forgiven for thinking that PII applies to local authority social work records. Here Munby LJ said he “would respectfully suggest that the treatment of this important topic in the White Book is so succinct as to be inadvertently misleading” (paragraph 48).

Importantly, Munby LJ also went on to explain how (and with what stringency) Article 8 rights to privacy and the protection of personal information should be approached when disclosing information pursuant to litigation. At paragraph 50, he gave the following guidance:

“… particularly in the light of the Convention jurisprudence, disclosure is never a simply binary question: yes or no. There may be circumstances, and it might be thought that the present is just such a case, where a proper evaluation and weighing of the various interests will lead to the conclusion that (i) there should be disclosure but (ii) the disclosure needs to be subject to safeguards. For example, safeguards limiting the use that may be made of the documents and, in particular, safeguards designed to ensure that the release into the public domain of intensely personal information about third parties is strictly limited and permitted only if it has first been anonymised. Disclosure of third party personal data is permissible only if there are what the Strasbourg court in Z v Finland (1998) 25 EHRR 373, paragraph 103, referred to as “effective and adequate safeguards against abuse.” An example of an order imposing such safeguards can be found in A Health Authority v X (Discovery: Medical Conduct) [2001] 2 FLR 673, 699 (appeal dismissed A Health Authority v X [2001] EWCA Civ 2014, [2002] 1 FLR 1045).”

Robin Hopkins

Redacting for anonymisation: Article 8 v Article 10 in child protection context

Posted on | by Robin Hopkins

Panopticon has reported recently on the ICO’s new Code of Practice on Anonymisation: see Rachel Kamm’s post here. That Code offers guidance for ensuring data protection-compliant disclosure in difficult cases such as those involving apparently anonymous statistics, and situations where someone with inside knowledge (or a ‘motivated intruder’) could identify someone referred to anonymously in a disclosed document. The Upper Tribunal in Information Commissioner v Magherafelt District Council [2012] UKUT 263 AAC grappled with those issues earlier this year in the context of disclosing a summarised schedule of disciplinary action.

Redaction is often crucial in achieving anonymisation. Getting redaction right can be difficult: too much redaction undermines transparency, too much undermines privacy. The Court of Appeal’s recent judgment In the matter of X and Y (Children) [2012] EWCA Civ 1500 is a case in point. It involved the publication of a summary report from a serious case review by a Welsh local authority’s Safeguarding Children Board. The case involved very strong competing interests in terms of Article 8 and Article 10 ECHR. For obvious reasons (anonymity being the key concern here) little could be said of the underlying facts, but the key points are these.

A parent was convicted in the Crown Court of a serious offence relating to one of the children of the family (X). The trial received extensive coverage in the local media. The parent was named. The parent’s address was given. The fact that there were other siblings was reported, as also their number. All of this coverage was lawful.

The local authority’s Safeguarding Children Board conducted a Serious Case Review in accordance with the provisions of the Children Act 2004 and The Local Safeguarding Children Boards (Wales) Regulations 2006. Those Regulations require the Board to produce an “overview report” and also an anonymised summary of the overview report. The relevant Guidance provides that the Board should also “arrange for an anonymised executive summary to be prepared, to be made publicly available at the principal offices of the Board”.

Here two features of the draft Executive Summary were pivotal.

First, reference was made to the proceedings in the Crown Court in such a way as would enable many readers to recognise immediately which family was being referred to and would enable anyone else so inclined to obtain that information by only a few minutes searching of the internet.

Second, it referred, and in some detail, to the fact, which had not emerged during the proceedings in the Crown Court and which is not in the public domain, that another child in the family (Y), had also been the victim of parental abuse.

The local authority wanted to publish the Executive Summary, seeking to be transparent about its efforts to put right what went wrong and that it has learned lessons from X’s death. It recognised the impact on Y, but argued for a relaxtion of a restricted reporting order to allow it to publish the Executive Summary with some redactions. It was supported by media organisations who were legally represented.

The judge (Peter Jackson J) undertook a balance of interests under Articles 8 and 10. He allowed publication, with redactions which were (in the Court of Appeal’s words) “in substance confined to three matters: the number, the gender and the ages of the children.”

In assessing the adequacy of these redaction, the Court of Appeal considered this point from the judgment of Baroness Hale in ZH (Tanzania) v Secretary of State for the Home Department [2011] UKSC 4, [2011] 2 AC 166, at paragraph 33:

“In making the proportionality assessment under article 8, the best interests of the child must be a primary consideration. This means that they must be considered first. They can, of course, be outweighed by the cumulative effect of other considerations.”

Munby LJ thus concluded (paragraph 47 of this judgment) that “it will be a rare case where the identity of a living child is not anonymised”.

He recognised, on the other hand, that Article 10 factors always retained their importance: “there could be circumstances where the Article 8 claims are so dominant as to preclude publication altogether, though I suspect that such occasions will be very rare.”

On the approach to anonymisation through redaction, Munby LJ had this to say (paragraph 48):

“In some cases the requisite degree of anonymisation may be achieved simply by removing names and substituting initials. In other cases, merely removing a name or even many names will be quite inadequate. Where a person is well known or the circumstances are notorious, the removal of other identifying particulars will be necessary – how many depending of course on the particular circumstances of the case.”

In the present case, the redactions had been inadequate. They did not “address the difficulty presented by the two key features of the draft, namely, the reference to the proceedings in the Crown Court and the reference to the fact that Y had also been the victim of parental abuse” (paragraph 53).

Far more drastic redaction was required in these circumstances: to that extent, privacy trumped transparency, notwithstanding the legislation and the Guidance’s emphasis on disclosure. In cases such as this (involving serious incidents with respect to children), those taking disclosure decisions should err on the side of heavy redaction.

Robin Hopkins

 

Internet traffic data and debt collection: privacy implications

Posted on | by Robin Hopkins

Mr Probst was a subsriber to the internet service provider (ISP) Verizon. He failed to pay his bill. A company called ‘nexnet’, the assignee of Verizon’s debt, sought to collect the sums due. In doing so, it obtained and used his internet traffic data in accordance with its ‘data protection and confidentiality agreement’ with Verizon. Disinclined to pay up, Mr Probst argued that nexnet had processed his personal data unlawfully and that the relevant terms of its agreement with Verizon purporting to sanction that processing were void. The first-instance German court agreed with him, but the appellate court did not.

It referred a question to the CJEU concerning Directive 2002/58 (the privacy and electronic communications Directive), which seeks to “particularise and complement” the Data Protection Directive 95/46/EC.

Article 5(1) of the 2002 Directive provides confidentiality in respect of electronic communications and traffic data. Article 6(1) says that traffic data must be “erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication”, unless one of the exceptions in that Article applies. The relevant provisions here were Articles 6(2) and (5). The first allows traffic data to be processed for subscriber billing purposes – but only within a specified time period. The second allows for processing of such data by an ISP’s authorised agent only for specified activities and only insofar as is necessary for those activities. The provisions are worded as follows:

(2) Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued.

(5) Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities.

In Probst v mr.nexnet GmbH (Case C‑119/12), the Third Chamber of the CJEU essentially had to decide whether, and in what circumstances, Articles 6(2) and (5) allow an ISP to pass traffic data to the assignee of its claims for payment such that the latter may process those data. Its starting point was that Articles 6(2) and (5) were exceptions to the general principle of confidentiality with respect to one’s internet traffic data. They therefore needed to be construed strictly.

As regards Article 6(2), Mr Probst had argued that nexnet was not in the business of ‘billing’, but in the business of debt collection. The referring court’s view was that, for data protection purposes, those activities were sufficiently closely connected to be treated indentically. The Third Chamber agreed. It found that, by authorising traffic data processing ‘up to the end of the period during which the bill may lawfully be challenged or payment pursued’, Article 6(2) relates not only to data processing at the time of billing but also to the processing necessary for securing payment thereof.

As to Article 6(5), the Court held “that a persons acts under the authority of another where the former acts on instructions and under the control of the latter”.

The next question was essentially: what does a data protection-compliant contract between an ISP and a third party (an agent, assignee or someone to whom an activity is outsourced) look like? Must the ISP actually be able to determine the use of the data by the third party, including on a case-by-case basis, throughout the duration of the data processing? Or is it sufficient that its contract with the third party contains general rules about the privacy of telecommunications and data protection and provides for data to be erased or returned on request?

The Court emphasised that outsourcing or assignment may not result in lower levels of protection for individuals’ personal data (paragraph 26). The contract must be sufficiently specific. It must, for example, provide for the immediate and irreversible erasure or return of data as soon as knowledge thereof is no longer necessary for the recovery of the claims concerned. The controller (here, the ISP) must be in a position to check and ensure compliance with the privacy and data protection measures agreed under the contract, and the contract must provide for the ISP to be able to request the return or erasure of the data.

The issue in the Probst case (how to balance privacy and legal rights to monies owed) has obvious parallels with measures to combat copyright infringement (how to balance privacy and legal rights to intellectual property). I have blogged on copyright and privacy issues here and here.

The Probst judgment is an important confirmation of general principles about privacy with respect to one’s internet data. The implications for all sorts of contracts involving such data are clear – cloud computing arrangements, for example (on which, see Panopticon’s post here).

It is increasingly important that those contracts provide for specific and enforceable safeguards against unlawful processing of personal data. The Data Protection Directive will change before too long, but these principles will not.

Robin Hopkins

Leveson Inquiry Report: spotlight on proposed data protection reforms

Posted on | by Rachel Kamm

Lord Justice Leveson has today published his eagerly awaited report into the culture, practices and ethics of the press.  The key proposal which will shape the future of press regulation is the recommendation to create an independent self-regulatory body, governed by an independent board. Of particular interest to information lawyers is the discussion of the extent to which the current legal, policy and regulatory framework has failed in relation to data protection. In this respect, the Report considers the lessons that can be learned from the practices of the press in relation to data handling and processing, makes bold recommendations in relation to legislative reform and further considers a bolstering of the Information Commissioner’s role and function.  The principal parts of the report dealing with the Data Protection Act 1998 (“DPA”) and ICO are Volume III, Part H and Volume IV, Appendix 4, Part 4.

Data protection: a key element of privacy rights

A key part of the Leveson Inquiry has been to consider the extent to which the press has unjustifiably interfered with the privacy of individuals in a manner which cannot be justified in the public interest. In this context, invasion of privacy does not mean simply through the publication of articles which intrude into the details of individuals’ private lives, but rights of individuals to keep personal information private, and rights restricting how personal information is processed by journalists. The Inquiry’s Terms of Reference expressly required Lord Justice Leveson to consider the extent to which the current policy and regulatory framework has failed in relation to data protection. The Inquiry provided a fresh and independent perspective for considering the DPA and the role of the ICO.

Historic difficulties in investigating and regulating data protection breaches by the press

Operation Motorman was an investigation by the ICO into the conduct of a private investigator, Steve Whittamore, which revealed that a significant amount of personal data was being sought by journalists working for most of the major newspaper groups. The data was being obtained by Mr Whittamore in breach of s.55 DPA (for example, through payments to public officials for details from a DVLA database, or through the blagging of friends and family telephone numbers from BT) and subsequently supplied to journalists. Mr Whittamore was prosecuted, but no journalist was interviewed by the ICO or subjected to enforcement action or prosecution. The Report highlights that the investigation produced a ‘treasure trove’ of evidence of serious and systemic illegality and poor practice in the acquisition and use of personal information which could have spread across the press as a whole. It also questions why the ICO failed to interview journalists or prosecute journalists for breach of the DPA, and notes that two reports laid before Parliament by the ICO had set out the evidence of a flourishing and unlawful trade in confidential personal information.

The Report highlights that one of the difficulties encountered by the ICO in pursuing breaches of data protection legislation against the press arose from deficiencies in the legal framework, which “puts unnecessary and inappropriate barriers in the way of regulatory law enforcement and the protection of victims’ rights”. Perhaps for this reason, amendments to the legal framework form a key part of the recommendations on data protection reform.

Recommendations to amend data protection legislation

Section 32 of the DPA restricts the circumstances in which the ICO can exercise most of its powers in relation to the press. Section 32 operates by disapplying a number of investigative and enforcement powers in circumstances where the data processing falls within section 32, namely where (i) the processing is undertaken with a view to the publication by any person of any journalistic material; (ii) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest; and (iii) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.

The Report recommends that section 32 should be amended so as to make it available only where: (a) the processing of data is necessary for publication, rather than simply being in fact undertaken with a view to publication; (b) the data controller reasonably believes that the relevant publication would be or is in the public interest, with no special weighting of the balance between the public interest in freedom of expression and in privacy; and (c) objectively, that the likely interference with privacy resulting from the processing of the data is outweighed by the public interest in publication. These amendments would render it more difficult for those organisations processing data for the purposes of publication to bring themselves within the scope of s.32. The proposed amendments seek to re-set the balance between the public interest in freedom of expression and the public interest in personal information privacy.

Further, the report recommends that the extent to which s.32 disapplies provisions of the DPA should be reduced and  that the processing of data by the press should be subject to the following obligations (which previously attracted exemption):

  •  the requirement of the first data protection principle to process personal data fairly (except in relation to the provision of information to the data subject under paragraph 2(1)(a) of Part II Schedule 1 to the DPA) and in accordance with statute law;
  •  the second data protection principle (personal data to be obtained only for specific purposes and not processed incompatibly with those purposes);
  • the fourth data protection principle (personal data to be accurate and kept up to date);
  •  the sixth data protection principle (personal data to be processed in accordance with the rights of individuals under the Act);
  •  the eighth data protection principle (restrictions on exporting personal data); and
  • the right of subject access (subject to further investigation and clarification of protection of journalists’ sources).

Recommendations for procedural amendments

The Report recommends:

  • The repeal of certain procedural provisions of the DPA with special application to journalism (namely section 32(4) and (5) and sections 44 to 46). The purpose of this is to give the ICO, and the Courts, greater powers to consider breaches of data protection without procedural hurdles in place, for example repealing section 32(4) would allow Courts to consdier preventing the Courts considering the complaint whilst the ICO determines whether the data controller has been processing the date for the purposes of journalism;
  • In conjunction with the repeal of those procedural provisions, consideration should be given to the desirability of including in the DPA a provision to the effect that, in considering the exercise of any powers in relation to the media or other publishers, the ICO should have special regard to the obligation in law to balance the public interest in freedom of expression alongside the public interest in upholding the data protection regime;
  • Specific provision should be made to the effect that, in considering the exercise of any of its powers in relation to the media or other publishers, the ICO must have regard to the application to a data controller of any relevant system of regulation or standards enforcement which is contained in or recognised by statute; and
  • To further strengthen individuals’ rights, the right to compensation for distress conferred by section 13 of the DPA is not restricted to cases of pecuniary loss, but should include compensation for pure distress.

ICO’s powers of prosecution

In his evidence to the Inquiry, the former Information Commissioner Richard Thomas described the ICO as “primarily not a prosecuting authority. That was almost on the side”. The main formal power in the event of non-compliance was the ‘enforcement notice’, which could specify and require compliance action subject to the back-up sanctions of court enforcement, although this was not frequently used. Prosecution powers were limited to section 55 of the DPA and did not extend, for example, to other offences such as phone hacking (although this might also technically involve a section 55 DPA breach).

The Report recommends that:

  • The necessary steps should be taken to bring into force the amendments made to section 55 of the DPA by section 77 of the Criminal Justice and Immigration Act 2008 (increase of sentence maxima) to the extent of the maximum specified period; and by section 78 of the 2008 Act (enhanced defence for public interest journalism);
  • The prosecution powers of the Information Commissioner should be extended to include any offence which also constitutes a breach of the data protection principles.
  • A new duty should be introduced (whether formal or informal) for the ICO to consult with the Crown Prosecution Service in relation to the exercise of its powers to undertake criminal proceedings;
  • The ICO should immediately adopt the Guidelines for Prosecutors on assessing the public interest in cases affecting the media, issued by the Director of Public Prosecutions in September 2012; and
  • The ICO should take immediate steps to engage with the Metropolitan Police on the preparation of a long-term strategy in relation to alleged media crime with a view to ensuring that it is well placed to fulfil any necessary role in this respect in the future, and in particular in the aftermath of Operations Weeting, Tuleta and Elveden.

Recommendation to issue guidance

The Report includes a number of recommendations directed at the ICO in relation to its provision of guidance and advice. In particular, it recommends that the ICO should issue good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data. Further, it should issue guidance to the public on their individual rights in relation to the press and their personal data and also advice for data subjects who are concerned that their data may have been processed by the press unlawfully or otherwise than in accordance with good practice. In full:

  • The ICO should take immediate steps to prepare, adopt and publish a policy on the exercise of its formal regulatory functions in order to ensure that the press complies with the legal requirements of the data protection regime.
  • In discharge of its functions and duties to promote good practice in areas of public concern, the ICO should take immediate steps, in consultation with the industry, to prepare and issue comprehensive good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data. This should be prepared and implemented within six months from the date of this Report.
  • The ICO should take steps to prepare and issue guidance to the public on their individual rights in relation to the obtaining and use by the press of their personal data, and how to exercise those rights.
  • In particular, the ICO should take immediate steps to publish advice aimed at individuals (data subjects) concerned that their data have or may have been processed by the press unlawfully or otherwise than in accordance with good practice.
  • The ICO, in the Annual Report to Parliament which it is required to make by virtue of section 52(1) of the DPA, should include regular updates on the effectiveness of the foregoing measures, and on the culture, practices and ethics of the press in relation to the processing of personal data.

Strengthening the ICO

The Report recommends that the opportunity should be taken to consider amending the DPA formally to reconstitute the ICO as an Information Commission, led by a Board of Commissioners with suitable expertise drawn from the worlds of regulation, public administration, law and business, and active consideration should be given in that context to the desirability of including on the Board a Commissioner from the media sector.

The Report recommended to the ICO that:

  • It should take the opportunity to review the availability to it of specialist legal and practical knowledge of the application of the data protection regime to the press, and to any extent necessary address it; and
  • It should take the opportunity to review its organisation and decision-making processes to ensure that large-scale issues, with both strategic and operational dimensions (including the relationship between the culture, practices and ethics of the press in relation to personal information on the one hand, and the application of the data protection regime to the press on the other) can be satisfactorily considered and addressed in the round.

Conclusion

The recommendations in the Report seek to significantly strengthen the ICO’s powers to investigate and enforce against poor press practices and, if enacted, would represent a marked change in the relationship between the ICO and the press.

Rachel Kamm

(11KBW’s Heather Emmerson was instructed by the Treasury Solicitor as part of the team of Counsel to the Leveson Inquiry.)