Norwich Pharmacal Relief

Posted on | by James Goudie KC

If through no fault of his own a person gets  mixed up in the tortious acts of others so as to facilitate their wrong-doing he may incur no personal liability but he comes under a duty to assist the person who has been wronged by giving him full information and disclosing the identity of the wrongdoers.  Justice requires that he should co-operate in righting the wrong if he unwittingly facilitated its perpetration.  This is the principle recognized by the House of Lords in Norwich Pharmacal Co v Customs and Excise Commissioners [1974] AC 133.

This principle has been considered by the Supreme Court in Rugby Football Union v Consolidated Information Services Ltd (formerly Viagogo Ltd) [2012] UKSC 55.  This case arose in the following way. 

The Rugby Football Union (RFU) is of course the governing body for Rugby Union in England. It owns Twickenham Stadium.  It is responsible for issuing tickets for matches played at the Stadium. It is the RFU’s policy to allocate tickets so as to develop the sport and enhance its popularity. Most tickets are distributed via affiliated rugby clubs and other bodies. The distribution thereafter is subject to different rules depending on the nature of the body in question. Member clubs are permitted to sell some or all of their ticket allocation to official licensed operators for use in corporate hospitality packages. The RFU’s terms and conditions stipulate that any resale of a ticket or any advertisement of a ticket for sale at above face value will constitute a breach of contract rendering the ticket null and void. This condition is printed on the tickets and applicants are warned of it on ticket application forms. A further term stipulates that the tickets are property of the RFU at all times.

Viagogo (now in liquidation) operated a website which provided the opportunity for visitors to the site to buy tickets online for a number of sporting and other events. Sellers would register their tickets with Viagogo and a price would be suggested based on current market data. Viagogo received a percentage of the sale. The RFU monitors ticket re-sale websites in an attempt to discover whether and by whom tickets were being sold above face value. This effort was frustrated, however, in many instances by the anonymity offered by websites including Viagogo.

In the run up to the international rugby matches in autumn 2010 and the Six Nations Tournament, the RFU discovered that Viagogo had been used to advertise thousands of tickets for the matches at Twickenham. Tickets with a face value of £20 to £55 were being advertised for sale at up to £1300. After a request for information about the identity of those selling the tickets was refused, the RFU issued proceedings against Viagogo seeking information which it required in order to take action to protect its policy in relation to tickets.

The High Court granted the RFU a Norwich Pharmacal order requiring Viagogo to disclose the identities of those involved in the sales. The order was made on the grounds that the RFU had a good arguable case that those selling and purchasing the tickets had been guilty of breach of contract and that it was appropriate to grant the order for them to obtain redress.

Before the Court of Appeal, Viagogo introduced a new ground of appeal to the effect that granting the order represented a disproportionate interference with the rights of the potential wrongdoers under Article 8 of the Charter of Fundamental Rights of the European Union. Article 8 guarantees the protection of personal data. The Court of Appeal [2011] EWCA Civ 1585 upheld the decision of the High Court and decided that the RFU had no readily alternative means of pursuing the wrongdoers. On the new ground the Court of Appeal held that interference with the personal data rights of the individuals was proportionate in light of the RFU’s legitimate objective in obtaining redress for arguable wrongs.

The issue before the Supreme Court was whether the grant of the order involved a breach of Article 8 of the Charter.  The Supreme Court unanimously dismissed the appeal.  

The Supreme Court observed that cases since Norwich Pharmacal itself have emphasized the need for flexibility and discretion in considering whether the remedy should be granted.  It is not necessary that an applicant intends to bring legal proceedings in respect of the arguable wrong.  Any form of redress (for example disciplinary action or the dismissal of an employee) will suffice to ground an application for the order.  The need to order disclosure will be found to exist only if it is a necessary and proportionate response in all the circumstances.  The test of necessity does not require the remedy to be one of last resort.  The essential purpose of the remedy is to do justice.  This involves the exercise of discretion by a careful and fair weighing of all relevant factors.

Various factors have been identified in the authorities as relevant.  These include: (i) the strength of the possible cause of action contemplated by the applicant for the order;  (ii) the strong public interest in allowing an applicant to vindicate his legal rights;  (iii) whether the making of the order will deter similar wrongdoing in the future;  (iv) whether the information could be obtained from another source;  (v) whether the respondent to the application knew or ought to have known that he was facilitating arguable wrongdoing; (vi) whether the order might reveal the names of innocent persons as well as wrongdoers, and if so whether such innocent persons will suffer any harm as a result;  (vii) the degree of confidentiality of the information sought; (viii) the privacy rights under Article 8 of the ECHR of the individuals whose identity is to be disclosed; (ix) the rights and freedoms under the EU data protection regime of the individuals whose identity is to be disclosed; and (x) the public interest in maintaining the confidentiality of journalistic sources, as recognized in s10 of the Contempt of Court Act 1981 and Article 10 of the ECHR.

As Lord Kerr stated (para 18), many of these factors are self-evidently relevant to the question of whether the issue of a Norwich Pharmacal order is proportionate in the context of Article 8 of the Charter of Fundamental Rights of the European Union.  Article 8 of the Charter was applicable as the order of the High Court involved disclosure of private data and thus was in the material scope of European Law.

The Supreme Court held that the appropriate test of proportionality under Article 8 of the Charter involved weighing the benefit of the information being sought by the RFU against the impact that disclosure was likely to have on the individual concerned. The appellant was wrong to suggest, however, that the assessment had to be carried out solely by reference to the particular benefit that obtaining information in relation to an individual might bring.  It was artificial and unrealistic to suggest that the RFU’s aim of discouraging others in the future from flouting its rules should not be considered.  The facts of each case must be considered individually, but there was nothing in the European cases cited or otherwise which supported the notion that the wider context for which the RFU wished to have the information should be left out of account.

While there should be an intense focus on the rights claimed by the individuals concerned, this was not a case where disclosure would result in oppressive or unfair treatment. The only information sought was the names and addresses of individuals who had bought and sold tickets in clear breach of the RFU’s ticket policy. The particular circumstances affecting a person whose data were sought may in some limited cases displace the interests of the applicant for disclosure even where there was no feasible alternative way of getting the information. This was not such a case, however.

New Code of Practice on anonymisation

Posted on | by Rachel Kamm

The Information Commissioner has published a new code of practice on “Anonymisation: managing data protection risk“.

Under the Data Protection Act 1998, the definition of personal data does not include information relating to an individual if that individual cannot be identified from that information together with all other information which is in the possession of, or is likely to come into the possession of, the data controller. It follows that where an organisation holds data relating to individuals which is anonymised, or where it is deciding whether or not to anonymise its data, it will need to consider carefully whether the anonymisation method means that the information falls outside the scope of the DPA or not.  The 100+ page code includes guidance and practical examples to assist organisations in assessing their options in relation to anonymisation. This guidance will not only be useful in relation to DPA obligations, but also where an organisation is considering anonymising data in order to respond to a Freedom of Information request. Note that whilst the code gives advice on good practice, it is not mandatory to comply with its recommendations where they go beyond the obligations under the DPA; it  is issued under section 51 of the DPA, but it is not legally enforceable.

In addition to the new Code of Practice, the ICO has announced that “a consortium led by the University of Manchester, with the University of Southampton, Office for National Statistics and the government’s new Open Data Institute (ODI), will run a new UK Anonymisation Network (UKAN). The Network will receive £15,000 worth of funding from the ICO over the next two years to enable sharing of good practice related to anonymisation, across the public and private sector. The network will include a website, case studies, clinics and seminars“.

Rachel Kamm

Retention and disclosure of police caution data infringe Article 8

Posted on | by Charles Bourne

The European Court of Human Rights yesterday handed down a Chamber judgment in M.M. v United Kingdom (Application no. 24029/07) declaring that the arrangements for the indefinite retention of data relating to a person’s caution in a criminal matter and for the disclosure of such data in criminal record checks infringe Article 8 of the ECHR. Although the Court recognised that there might be a need for a comprehensive record of data relating to criminal matters, the indiscriminate and open-ended collection of criminal record data was unlikely to comply with Article 8 in the absence of clear and detailed statutory regulations clarifying the safeguards applicable and governing the use and disposal of such data, particularly bearing in mind the amount and sensitivity of the data. 

The case arose from a family dispute in Northern Ireland in the course of which the applicant, a grandmother, took her grandson away from his parents for two days before returning him unharmed. This resulted in her receiving a caution for child abduction in November 2000. In 2003 the police advised her that her caution would remain on record for only five years, i.e. until 2005. However, following the Soham murders and the Bichard report, there was a change of policy whereby any convictions and cautions where the victim was a child would be kept on record for the offender’s lifetime. 

Until 1 April 2008, requests for disclosure of criminal record data in Northern Ireland were made on a consensual basis. Disclosure took place in accordance with well-established common law powers of the police. Provisions of the Police Act 1997, introduced in England and Wales in 2006, were applied to Northern Ireland in 2008. Section 113A required a criminal record certificate to be issued on request and payment of a fee, to include details of all cautions and convictions whether spent or not, if the request was for stated purposes including that of assessing the suitability of persons to work with children and vulnerable adults.

Disclosure of the applicant’s caution caused her to be turned down for jobs as a family support worker in the social care field. She complained that the indefinite retention and disclosure of the caution data infringed her ECHR rights.

The Court noted that both the storing of information relating to an individual’s private life and the release of such information come within the scope of Article 8 § 1. The question was whether the police records contained data relating to the applicant’s “private life” and, if so, whether there had been an interference with her right to respect for private life. The data was both “personal data” and “sensitive personal data” within the meaning of the Data Protection Act 1998 and “personal data” in a special category under the Council of Europe’s Data Protection Convention. Although a person’s criminal record was public information, systematic storing of data in central records made them available for disclosure long after the event. As a conviction or caution receded into the past, it became a part of the person’s private life which had to be respected. The applicant’s voluntary disclosure of the caution to her prospective employer did not deprive her of the protection afforded by the Convention where employers were legally entitled to insist on disclosure. Thus Article 8 applied, and the retention and disclosure of the caution amounted to an interference.

To decide whether the interference could be justified under Article 8 § 2, the Court considered the legislation and policy applicable at the relevant time and since. It highlighted the absence of a clear legislative framework for the collection and storage of data and the lack of clarity as to the scope, extent and restrictions of what in Northern Ireland were originally common law powers of the police to retain and disclose caution data. There was also no mechanism for independent review of a decision to retain or disclose data. The provisions of the Police Act 1997 which came into force in Northern Ireland on 1 April 2008 created some limited filtering arrangements in respect of disclosures. However, in providing for mandatory disclosure under section 113A, no distinction was made on the basis of the nature of the offence, the disposal in the case, the time which had elapsed since the offence or the relevance of the data to the employment sought.

 The Court decided that the cumulative effect of these matters was an insufficiency of safeguards in the system to ensure that data relating to the applicant’s private life had not been, and would not be, disclosed in violation of her right to respect for her private life, and therefore the retention and disclosure of data was not “in accordance with the law” for the purpose of Article 8 § 2. The Court therefore did not go on to determine whether the interference was “necessary in a democratic society” for one of the stated aims, or whether there had been any infringement of Articles 6 and 7.

 Charles Bourne

 

Update on recent Tribunal decisions part 4: qualified exemptions and the public interest

Posted on | by Robin Hopkins

In the final part of our round-up of recent decisions of the First-Tier Tribunal, Panopticon looks at the qualified exemptions, the public interest and a few other loose ends.

Section 36: Cherie Booth, Ryanair and Council emails

Sutton v IC and Nottingham City Council (EA/2012/0044) concerned the Council’s decision to amend its internal ‘sign off’ procedures for responses to FOIA requests, following an incident in which its response to a request about the cost of Councillors’ refreshments was considered to have been inadvertently misleading and lacking in context. The requester asked for internal emails about the proposed change. The Council withheld some of those emails, contending that they contained the sort of robust, free and frank exchange of views for which a safe decision-making space was needed. In a decision which many local authorities will find heartening, the Tribunal agreed.

The background to Sittampalam v IC and Ministry of Justice (EA/2011/0277) is the comments made by Cherie Booth QC, sitting as a recorder, when sentencing a Muslim defendant. Her comments appeared to suggest that his faith was a mitigating factor in his defence. They caused a stir, were reported in the media and attracted complaints, including by the National Secular Society, to the Office for Judicial Complaints. The OJC concluded that Ms Booth’s comments did not constitute judicial misconduct, though she was to receive “informal advice” on the issue.

A request under FOIA was made for all information about this OJC investigation and any action taken. The public authority relied on s. 36 – prejudice to the free and frank exchange of views, provision of advice or conduct of public affairs. The ‘reasonable opinion of the qualified person’ (the prerequisite for engaging s. 36) was obtained after the public authority’s holding reply to the request and after the statutory time for compliance – but before the public authority’s formal notice of refusal. The Tribunal rejected the requester’s contention that s. 36 was not engaged because of the timing of the opinion. As to the public interest, the Tribunal was satisfied us that the requester’s suspicions about the OJC ‘covering up’ the complaint or trying to minimise the impact of its conclusions on account of Ms Booth being the wife of Tony Blair were unfounded. Nor were the OJC’s press statements inconsistent with its letters to the National Secular Society. The appeal was dismsised.

Whereas alleged ‘late reliance’ on s. 36 succeeded in Sittampalam, it was unsuccessful before the Tribunal (at the preliminary hearing stage) in Ryanair v IC and Office of Fair Trading (EA/2012/0088). The opinion was obtained prior to the internal review. The Tribunal concluded that:

“Considering issues of reasonableness it is difficult for the Tribunal to be satisfied that the section 36 opinion of the qualified person – given its timing in respect of this appeal – is not an ex post facto conclusion or, more accurately, not tainted with the perception that that could be the case. That goes to the heart of its reasonableness.”

Sections 41 and 43: casinos and vikings

London Borough of Newham v IC (EA/2011/0288) concerned the Council’s award of the licence to operate a large casino at Westfield shopping centre in Stratford. The requester, a law firm acting on behalf of the unsuccessful bidder, made a request under FOIA for documents relating to the successful bid. The Council withheld some of those, relying on s. 44 (statutory bar on disclosure under the Code of Practice for the Gambling Act 2005), s. 41 (information obtained in confidence) and s. 43 (prejudice to commercial interests). The Commissioner was unpersuaded and ordered disclosure.

The Council’s appeal was partially upheld and partially dismissed. The statutory bar was held not to extend beyond the conclusion of the tender process. S. 43(2) was engaged, with the public interest favouring disclosure of some (relating for example to security arrangements and the financial guarantee offered by the winning bidder, as well as records of some of the negotiation discussions, which the Tribunal found would be unsurprising to any commercial rival) but not others (tender details which were deemed more commercially sensitive). Similarly, s. 41 succeeded for some information but not all (some, for example, was effectively in the public domain; some had not been obtained from outside the Council). Bidders could reasonably expect confidentiality not permanently, but for a reasonable time following the bidding process – here the request was made within that reasonable time, which counted in the Council’s favour.

The disputed information in Pim v IC and Down DC (EA/2012/0078) was a business plan submitted by the Magnus Viking Association in respect of their proposed Viking re-enactment centre, and correspondence between the Council and Magnus. The Council relied on regulation 12(5)(e) of the EIR (confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest). The Commissioner and Tribunal agreed: extensive research and consultation had gone into the specialist information, which could be used by Magnus’ competitors in a viking re-enactment market which, while not flooded with competition, was growing. There was a strong interest in maintaining trust between the commercial parties.

Prejudice to the course of justice

In McCullough v IC and Northern Ireland Water (EA/2012/0082), the requester sought detailed technical information about vibrations measurements relating to sewer upgrade works in Belfast. The Commissioner agreed with the public authority that regulation 12(5)(b) of the EIR (adverse effects on the course of justice) was engaged and that the public interest favoured its maintenance. A key issue was that disclosure, it was argued, would prejudice NI Water’s position when defending prospective legal claims about the sewer works vibrations, including by the requester (though there was a dispute as to whether the requester did in fact intend such proceedings).

The Tribunal disagreed. It was “not persuaded that purely factual information such as this could ever adversely affect the course of justice” and did “not accept that early disclosure of this technical information would prejudice NI Water in any way that they would not be prejudiced in the normal course of discovery in litigation by such information”. Regulation 12(5)(b) was therefore not engaged, in the Tribunal’s view.

It also did not think that information could be withheld just because of potential prejudice to a public authority’s litigation position: “The implications of implementing such a policy could, in some circumstances amount to a cover up, and in our view would be contrary to the spirit and intent of the FOIA and EIR legislation and further, contrary to the public interest. We are of the view that it is in the public interest that justice is done and that the correct result emerges from litigation, not that a public authority should necessarily be successful, just because it is a public authority.” The exact meaning of these last words is not clear, but the decision will nonetheless raise many a public authority eyebrow.

Robin Hopkins

Update on recent Tribunal decisions part 3: personal data of public officials and relating to court proceedings

Posted on | by Robin Hopkins

I posted a few days ago about some recent decisions of the First-Tier Tribunal on requests under FOIA and the EIR for personal data. There have been a number of decisions on this issue of late. The following are of note, as they illustrate the types of issues very frequently encountered by public authorities. They also illustrate the nuanced and forensic approach taken by some Tribunals. There may not be a presumption in favour of disclosing personal data, but public authorities should beware assuming that Tribunals will be equally cautious about disclosing all types of personal data.

Chief Constable appointments: partial disclosure ordered

The Appointments Committee of Dyfed Powys Police Authority assessed and interviewed the candidates for the office of Chief Constable. There were two candidates. The Committee was advised by a representative from HM Inspector of Constabulary who was very critical of one of the candidates, leaving the Committee feeling that it had no option but to appoint the other. Committee members complained about the HMIC representative, including to the Home Office. The issue entered the public domain. The unsuccessful candidate requested copies of relevant correspondence.

The issues in Roberts v IC and Dyfed Powys Police Authority (EA/2012/0032) were whether s. 40(1) or alternatively s. 40(2) applied.

The IC raised s. 40(1) belatedly, arguing that the withheld documents were the requester’s own personal data: the lateness “vexed” the Tribunal, and in any event the s. 40(1) argument was rejected, as the Durant conditions of biographical significance and focus were not met. The IC had sought to apply the definition of “personal data” too widely in a way that went beyond the Durant restrictions.

The s. 40(2) argument concerned the personal data of (a) members of the Appointments Committee (the Tribunal’s answer: disclosure would breach the data protection principles, as they were unpaid public representatives who were not at fault), and (b) the HMIC representative (the Tribunal’s answer: disclosure was for the most part ordered, given the representative’s role, the publicised allegations about her conduct and the fact that disclosure would result in minimal incremental distress).

The case illustrates the ongoing dominance of Durant, the need to distinguish between types of data subject and the relevance of well-founded allegations of wrongdoing or poor conduct by public officials.

Redacting officials’ names: lack of legitimate interest in disclosure

Armit v IC and Home Office (EA/2012/0041) is one of two appearance by the UK Border Agency in this post. The request was for copies of guidance relating to which light vehicles/drivers should be stopped and interviewed and what circumstance should lead to the vehicle being detained whilst a search is undertaken and identity checks undertaken, as well as for statistics about such ‘stops and searches’ carried out at Dover Port. UKBA’s refusal was based in part on s. 40(2): it sought to redact the names of the officials in a document entitled ‘Tourist Selection Indicators and Selection Techniques’. The Tribunal was not very impressed by the arguments that officials would not have expected public disclosure of their names. However, fatal to the requester’s case was the failure to identify a legitimate interest in public disclosure of the names of those officials. The Tribunal concluded that:

“We do not accept the argument that the officials would not have expected their names within the document to be made public and were not given compelling evidence of this. We were given no information as to their specific grading but they were described in the document as ‘lead contributer’ and ‘lead postholder’. They clearly have some responsibility in relation to the work.  We were given no compelling evidence that disclosing their names would result in victimisation, insult or any form of danger.  However, we do accept that the officials would prefer not to have their names identified and that might in itself represent a certain right and freedom or legitimate interests in itself. In any event, to process personal data, it needs to be necessary to pursue the purposes of legitimate interests pursued by others.  In this case, we do not find that the Appellant has shown any legitimate interest in the names of the officials being disclosed to the public under FOIA. We conclude that the information is therefore exempt from disclosure.”

The case illustrates the importance of requesters making out a legitimate public interest in knowing the identity of officials whose names appear in requested documents where those officials are not obviously senior enough for a general accountability argument to suffice.

Neither confirm nor deny: involvement in court proceedings

In Mahajan v IC (EA/2011/0240), the requester sought information about the conduct of criminal proceedings in which he was involved, in particular relating to note-taking, recording, legal aid payments, contributions made by the judge during the hearing and communications between the requester and the court’s administrative staff.

The IC found that the request could be refused on the grounds of s. 40(5) FOIA, the “neither confirm nor deny” exemption for personal data. The argument was that the individuals identified in the requested information would have a legitimate expectation that information that might or might not confirm whether they had been part of an investigation and/or court proceedings would not be released.  A confirmation or denial would, it was argued, reveal some information which was not already in the public domain and was not reasonably accessible to the general public. It would also publicise the existence or otherwise of an investigation and court proceedings involving those named parties.

For some parts of the request, the Tribunal agreed: any answer would reveal personal data the public disclosure of which would breach a data protection principle. For the most part, however, the Tribunal disagreed with the IC. A major aspect of its reasoning was that much of the information related to a public court hearing: therefore, disclosing that an individual had been a judge in that hearing, or had appeared as an advocate would not breach any of the data protection principles. In addition, some of the “data subjects” were in fact not living individuals but commercial entities.

This case illustrates the importance, when taking a “neither confirm nor deny” stance, of assessing why mere confirmation or denial of whether the requested information is held (as opposed to disclosure of that information itself, if held) would breach a data protection principle.

Interestingly, while the Tribunal disagreed with the IC on a number of the s. 40(5) FOIA arguments, it went on to agree with the public authority that those parts of the request were plainly vexatious and could be refused on s. 14(1) FOIA grounds.

Qualifications of legal advisor

In Hodson v IC (EA/2012/0084), the Tribunal decided that information about the professional qualification of an individual fulfilling the role of Legal Adviser to Scunthorpe Magistrates’ Court should be disclosed but that he was not entitled to receive information about the Adviser’s other academic qualifications. Its nuanced approach (i.e. approaching different types of personal data differently) is summarised at its paragraphs 18 and 19:

“In view of the functions performed by Legal Advisers in a Magistrate’s Court, and the impact they are capable of having on those appearing before the court, we believe that there is a strong public interest in knowing that anyone fulfilling the role has the qualification of barrister or solicitor. That is to say the qualification that the Ministry of Justice holds out Legal Advisers as possessing. We believe that, were that information not to be a matter of public record, there would be strong public interest in its disclosure and that this would outweigh the individual’s right to privacy.

It follows that, were the position of Legal Adviser to be held by a person having any other qualification, there would be an equally strong public interest in that qualification also being publicly known. And that would apply whether the qualification was a non-legal one or a legal one that was less than full qualification as a barrister or solicitor. Examples of the latter would include a law degree, Chartered Institute of Legal Executives qualification, or completion of a Legal Practice Course or Bar Professional Training Course. But if the Legal Adviser holds the professional qualification of barrister or solicitor then the public interest in information about any other qualification, whether legal or non-legal, academic or professional, is greatly reduced. Disclosure, in those circumstances would constitute an unwarranted interference with the individual’s rights and freedoms.”

Nationality of opponent in litigation

Someone referred to as AF brought legal proceedings against Mr Philip Brown. Mr Brown incurred considerable costs as a result. He hoped to recover those costs if he won the case. In practice, he could only do so if AF was a British national; if he was a Nigerian national, he was thought likely to return there, putting him effectively beyond the reach of UK jurisdiction for enforcing any costs order. Mr Brown asked the UK Border Agency for “official information showing whether or not [Mr AF] is a UK citizen, or whether he is a Nigerian citizen who is in the UK on some sort of temporary permission”. The request was refused on s. 40(2) FOIA grounds; the Commissioner agreed.

The Tribunal in Philip Brown v IC (EA/2012/0094) also agreed. The requester argued that this was not “personal data”: Mr AF cannot be identified by his immigration status alone since that simply discloses whether he is one of 60  million people (if he is a UK national), or one of 120 million people (if he is a Nigerian national). The Tribunal rejected this as misconceived:

“What he is saying, in effect, is that if an individual is already known to the requester and

can be identified by him through information already held, then any additional information such as his immigration status, cannot be personal data because that does not identify him. Taken to its logical conclusion, it would mean that the Appellant could ask a public authority to disclose a range of information about Mr AF (for example, whether he is gay or straight, a Christian or a Muslim, divorced or single), on the basis that such information would only disclose the category of people to which Mr AF belongs and would not itself identify him.”

The requested information was “personal data” in Durant terms.

The requester also sought to rely on s. 35(2)(a) of the DPA, arguing that disclosure is “necessary for the purposes of, or in connection with, legal proceedings” and therefore that the data protection principles would not be breached. He said he needed the information in order to seek a protective costs order in accordance with the CPR.

The Tribunal considered the meaning of “necessary” in this context: it rejected the IC’s argument that “necessary” means “relevant and proportionate”, preferring Mr Brown’s view that it meant “indispensable, requisite, needful, that which cannot be done without”. The problem was that the requested information would not help with any application for a protective costs order. Condition 6(1) would not be met and s. 40(2) was upheld.

Robin Hopkins

Update on recent Tribunal decisions part 2: personal data of “low inherent sensitivity”

Posted on | by Robin Hopkins

The “personal data” provisions under s. 40(2) FOIA and regulation 13 EIR can often be very difficult to apply, particularly in light of the Durant “notions of assistance”, namely biographical significance and focus. It is correspondingly difficult to predict how such arguments will fare before the Tribunal. Two recent cases offer good illustrations. Both saw the Tribunal order disclosure of property-related personal data which was deemed to be of “low inherent sensitivity”.

Council housing

Exeter CC v IC and Guagliardo (EA/2012/0073) concerned a request for the addresses of all residential properties owned by or leased or rented to the Council. The Council refused the request. It was accepted that addresses constitute “personal data”, but the Commissioner considered it to be personal data of “low inherent sensitivity”. He found that disclosure would not breach any of the data protection principles. He ordered disclosure, subject to an exemption for addresses of properties allocated for housing those in need of protection.

The decision notice was upheld on appeal. The following aspects of its decision are notable (Tribunal comments appearing in italics).

As to the Council’s arguments for withholding the addresses:

  • The Council had conducted a survey of residents’ attitudes to such disclosures, but the particular questions and answers did not assist the Tribunal.
  • There was no clear evidence on the extent to which Council properties were already visually identifiable as such.
  • “The Tribunal observes that who owns property is not a private  matter. It has to be publicly recorded and available by way of Land Registry Records (although there is a fee for this information). There are many other ways that the ownership becomes public (e.g. local knowledge, press articles when properties are constructed, news articles and planning records).The Tribunal is satisfied that a tenant cannot therefore have a legitimate expectation that this information would not be disclosed.”
  • The Council argued that disclosure of the list of addresses would identify the residents as Council tenants and, as such, vulnerable, for example to being targeted by those wishing to prey upon individuals who were in financial difficulty. There was, however, no evidence before the Tribunal that disclosure would add to the pre-existing risk of such behaviour.
  • The only information (additional to the fact of the address) that can be discerned about any particular data subject by the disclosure of the disputed information was that they or their predecessor may have been financially unable to meet their housing needs at some time.

As to the arguments for disclosure:

  • “Additionally we are satisfied that there is a proper distinction to be drawn between those living in a Council owned asset and private accommodation, because the Council are accountable to the public for the way  they manage those assets and execute housing policy whereas a private landlord has no such additional public responsibility and that this must impact upon the reasonableness of any expectation that the Council would not publish this information.”
  • Disclosure would enhance transparency in allowing the public to be aware of the Council’s assets (i.e. its housing stock). By knowing how many properties the Council owns and where, the public would be enabled to scrutinise the distribution of Council properties between localities, analyse whether factors (such as levels of educational attainment) are correlated with the extent of Council owned housing in a given area.
  • Knowing the individual addresses would enable the public to see how Council properties are maintained, their state of repair and assess whether areas are under or over provided for.
  • “The Tribunal adds that such disclosure would also enable the public to review the type of housing stock owned and used by the Council and ascertain whether it could be used more efficiently to meet better the      needs of those in housing need. Analysis of the extent to which private      rentals are over or under used and whether this provides value for money      would also be enabled by disclosure of this information.”

Overall, the Tribunal agreed that addresses constitute personal data of “low inherent sensitivity”.

This is the second such case before the Tribunal. The Tribunal in Neath Port Talbot v IC (EA/2011/0037) ordered disclosure of the same type of information in another, less fully reasoned decision last year. While no First-Tier Tribunal decision is binding, the case for withholding such information seems nonetheless increasingly difficult to make out.

Building control applications

Martin and Karen Sharples v IC (EA/2012/0076) is a second recent case in the disclosure of personal data has been ordered in light of its “low inherent sensitivity”. The requesters sought information about building control applications made to Bolton MBC relating to roof conversions to residential properties in a specific cul-de-sac. The Council refused to provide the building control records and site visit notes, relying upon regulation 13 EIR (personal data). The issue was whether the residents/owners involved in those applications could be identified from the redacted records and notes and, if so, whether disclosure would breach any of the data protection principles.

The requesters argued that while they knew enough to identify the property owners from the requested information, a member of the public would not. The Tribunal was satisfied, however, that the owners could be identified – particularly given the availability of Land Registry searches, Google Earth and other ways to find out who lives where.

Like the Council residence addresses in the Exeter CC case however, this application information was considered to be personal data of “low inherent sensitivity”. Disclosure would not breach the data protection principles, in light of the following factors:

  • The information was similar to the sort of information routinely provided to estate agents and in planning applications (which are made public)
  • It would be discernible to a surveyor when the house changes hands
  • Some of the information was visible to the naked eye
  • Much of the information constituted confirmation of normal practice of construction to a fixed standard
  • The data subjects had not been told they could expect confidentiality
  • There was a legitimate public interest in transparency, in particular in being assured that the Council had properly assessed compliance whether the relevant regulations had been complied with

Many requests for personal data fail because the requester has not made out any or any sufficient legitimate interest in public disclosure of information impacting upon privacy. Sharples is interesting in that the emphasis worked the other way: the public interest does not appear to have been very pressing, but the personal data was sufficiently anodyne for disclosure to be the order of the day.

Robin Hopkins