WordPress + Bootstrap

The question of whether the convention on collective cabinet responsibility operates, in effect, as a trump card in the FOIA context has been considered in a number of tribunal cases (see further for example the Lamb case concerning a request for disclosure of the Iraq war cabinet minutes and the Cabinet Office case concerning cabinet discussions over the Westland takeover (“the Westland case”)). Last week, in Cabinet Office v IC, the First-Tier Tribunal handed down a decision in which it reconfirmed the principle that the convention, whilst undoubtedly an important consideration in the FOIA context, does not create any absolute bar against disclosure.

The facts of the Cabinet office case were as follows. In 1988, Rowntree Mackintosh, the well-known UK confectionary group, was acquired by Nestlé. The takeover was hugely controversial at the time. The decision to approve the takeover and not to refer it to the Monopolies Commission was taken by Lord Young, then Secretary of State for Trade and Industry. In 2008, a request was made by a Mr Aitcheson (A) for disclosure of all documents held by the Cabinet Office (CO) relating to the takeover dated between April and August 2008. That request was largely refused by the CO on an application of ss. 35(1)(a) and (1)(b) (respectively the government policy exemption and the ministerial communications exemption). In September 2010, the tribunal handed down its decision in the Westland case. In that case, the tribunal decided that the convention on collective cabinet responsibility did not operate so as to prevent disclosure of the minutes of the meeting of the cabinet in 1986, in which Michael Heseltine resigned due to his disagreement with colleagues over whether the government should intervene in the investment by an American company in the British helicopter manufacturer Westland plc. That decision was not vetoed by the Government (cf. the Lamb decision which was vetoed by the government). In light of the decision in the Westland case, A resubmitted his request to the CO for disclosure of information relating to the Rowntree takeover. The request was again refused. On this occasion the CO took the position that there were five documents which were exempt from disclosure under ss. 35(1)(a) and (b). It also refused to confirm or deny whether it held information revealing cabinet discussions of the takeover on an application of s. 35(3)).

The Commissioner concluded that, whilst the five documents fell within the ambit of the exemptions provided for under s. 35, the public interest balance fell in favour of disclosure. He also concluded that, whilst the CO had been entitled to conclude that s. 35(3) was engaged, the public interest balance weighed in favour of the CO being compelled to confirm or deny whether it held information revealing cabinet discussions of the takeover. The CO appealed against the Commissioner’s decision. It did so particularly on the basis that the decision failed to give due weight to the very strong public interest in upholding the convention on collective cabinet responsibility.

The CO’s appeal was unsuccessful. The Tribunal (chaired by Judge Angel) agreed with the Commissioner that both under s. 35(1) and under s. 35(3)  the public interest balance weighed in favour of disclosure. In reaching this conclusion, the Tribunal relied in particular on the following considerations:

–       the age of the information – the decision in question was now more than 20 years old

–       the move to a ’20 year rule’ – at the time of the request, the government had already made a policy decision to amend existing legislation so as to reduce the 30 year rule for historical records to be transferred to the National Archive to 20 years and the age of the requested information should be considered in that context

–       key characters had left the political stage – Lord Young was no longer in government at the time of the request and whilst he continued act as an adviser to the government he did so in relation to policy issues which were unrelated to takeover issues; he was not even performing that advisory role by the time of the internal review

–       ‘chilling effect’ unlikely – the CO’s arguments that disclosure would have a chilling effect on Cabinet discussions could not be accepted. This was particularly given the age of the information in issue. (The Tribunal was no doubt influenced on this issue by the fact that the disclosure in the Westland case had not apparently had any notably chilling effect on subsequent cabinet discussions)

–       diminished need for a ‘safe space’ – the CO’s  arguments that it needed to preserve a ‘safe space’ for cabinet discussions were in any event weakened by the fact that the regime governing takeovers had fundamentally changed by the time of the request. Thus, there was no live policy debate within government which required protection

–       strong public interests in disclosure – there were particularly strong public interests in favour of disclosure. Relevant here was not only the particularly controversial nature of the Rowntree takeover but also the fact that Lord Young had been exercising a ‘quasi-judicial’ role in respect of the takeover. Given his quasi-judicial role, there was a particularly strong public interest in revealing information which showed whether or not his decision had been compromised by improper political or other pressure.

It remains to be seen whether the government will now exercise its powers of veto to prevent the information being disclosed. 11KBW’s James Cornwell acted for the CO. Robin Hopkins acted for the Commissioner.

Anya Proops

Today, the Commissioner served – for the first time – a monetary penalty notice on a charity. The charity in question, Norwood Ravenswood Ltd, is a social care charity. One of its social workers had attempted to deliver to the home of prospective adopters certain background reports containing highly confidential sensitive personal data on four young children. Finding the couple out, and unable to fit the package through the letterbox, the social worker left the package in a concealed area at the side of the house. When the prospective adopters returned home, the package had disappeared. It was never recovered.

At the time of the incident, the charity had no specific guidance on sending personal data to prospective adopters. Further, and in breach of the charity’s data protection policy, the social worker in question had not received any data protection training.

The Commissioner found that there had been a “serious contravention” of the seventh data protection principle (i.e. that appropriate technical and organisational measures shall be taken … against accidental loss … of … personal data). Perhaps unsurprisingly, the contravention was also found to be “of a kind likely to cause … substantial distress” (for the purposes of the second limb of the test, in s. 55A(1)(b) of the DPA). In addition, the Commissioner concluded that the charity knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial distress, but failed to take reasonable steps to prevent the contravention within the meaning of s. 55A(3) of the DPA.

Although the Commissioner was not aware of any previous similar security breach, and the charity had voluntarily reported the incident to the Commissioner and had fully cooperated thereafter, the Commissioner nevertheless set the penalty at £70,000. Interestingly, the Commissioner does not appear to have taken the data controller’s charitable status to be a factor of any significance in this regard, on the basis that it had “substantial reserves”. Although the penalty is at the lower end of the spectrum of penalties awarded to date this year, it remains a substantial sum.

Overall, today’s decision serves as a useful reminder both of the potential consequences of inadequate data protection procedures and of the fact that even charitable bodies may face heavy penalties if serious contraventions occur.

There is still no monetary penalty case law to offer guidance. But, as regular readers of this blog may recall, the first appeal against a monetary penalty notice (brought by London Community Healthcare NHS Trust) is in the pipeline. It will be heard in December this year (with Tim Pitt-Payne QC and Anya Proops of 11KBW acting for the opposing parties).

One final thought, or, rather, question. The vast majority of the monetary penalty notices concern public authorities. Are public authorities really committing many more “serious contraventions” than private persons, or are they simply more likely to be reporting such contraventions to the Commissioner?

Ben Hooper

Cloud computing is becoming an ever more pervasive feature of the technological world. Whether one is dabbling in social networking or purchasing goods online, the truth is that we all, to a greater or lesser extent, now have our heads in the virtual clouds. However, the use of cloud computing inevitably raises important information law issues, particularly in terms of the impact on privacy rights and also under the Data Protection Act 1998. So far as the DPA is concerned, issues which fall to be considered include:

• who actually controls the data which is being processed via the cloud (i.e. who is liable under the DPA if things go wrong in data protection terms)

 

• what steps a data controller may be required to take to safeguard against misuses of personal data within the cloud

 

• the security implications of processing personal data through cloud computing and, in particular, whether the processing of data via the cloud is compliant with the seventh data protection principle

 

• the legality of using clouds which operate transnationally and, hence, which may bring into play the application of the eighth data protection principle on cross-border data transfers

Importantly, the Information Commissioner has today issued guidance which is designed to help organisations navigate their way through the potentially complex DPA issues which may arise in the context of cloud computing. You can find the guidance here.

Particular points to note about the guidance include the following:

• the Commissioner has (unsurprisingly) confirmed that the DPA applies to any processing of personal data which takes place in the cloud

 

• the guidance suggests that, when it comes to determining who is the ‘data controller’ in respect of data which is processed via the cloud, one should generally look to the purchaser of the particular cloud services (i.e. the cloud service customer). This is because it is typically the cloud customer who will determine the purposes for which and the manner in which the data is being processed (see further the definition of ‘data controller’ in s. 1(1) DPA). However, that is not to say that there will not be cases where the cloud provider itself has sufficient control over the data such that it can properly be designated as a ‘data controller’ under the Act

 

• if two or more data controllers within a ‘community cloud’ intend to share data they should take time to clarify their roles and decide who is the controller in respect of which data

 

• a data controller cannot simply assume that, because a cloud provider has a set of standard terms and conditions, those terms and conditions afford sufficient safeguards to guarantee compliance with the DPA. The data controller must itself take steps to ensure that the safeguards deployed by the particular cloud provider are fit for purpose, having regard not least to the sort of data in issue and how it is to be processed. This may well entail the data controller looking for cloud providers which can tailor their services to accommodate the data controller’s specific requirements

 

• data controllers should ensure that they are only putting data into the cloud which actually needs to be there. Thus, data controllers should effectively ensure that they are sieving their data before putting it on the cloud and should create clear records of the sort of data they intend to move to the cloud

 

• insofar as the particular cloud service results in the collection of meta-data about the data subject (e.g. information revealing transaction histories), data controllers should be aware that this may also constitute personal data to which the data protection principles apply

 

• cloud customers should adopt strategies to limit the chances that the use of cloud computing will breach the data protection principles, such strategies should include:

 

• conducting risk assessments

 

• ensuring that appropriate written contracts are in place with the cloud provider

 

• reviewing the quality and depth of the security arrangements offered by the cloud provider

 

• ensuring that adequate security measures are applied to the data (e.g. via encryption, use of password access etc)

 

• ensuring that the cloud provider has in place a suitable retention and deletion policy and querying what happens to any data on the cloud in the event that the cloud customer withdraws from the cloud

 

• ensuring that the cloud provider’s own access to the data is suitably controlled and limited

 

• taking measures to ensure that the cloud provider is not itself in a position to start adapting the purposes for which the data is being processed without the cloud customer’s authorisation

 

• exploring with the cloud provider the extent to which the data may be transferred abroad (e.g. because the cloud straddles a variety of different jurisdictions) and, further, the quality of any data protection regime applicable in any foreign jurisdiction to which the data may be transferred

 

• having policies in place which ensure that data subjects are properly informed about how their data is being processed

 

•  monitoring data compliance once the cloud services have been obtained

All organisations which use or provide cloud services should, as a matter of urgency, familiarise themselves with this policy or else risk developing a stormy relationship with the Commissioner in future.

Anya Proops