Panopticon – Page 119 – Information law blog, from 11 KBW

UPDATE ON RECENT TRIBUNAL DECISIONS

Posted on 11th January 2012 | by Rachel Kamm

The First Tier Tribunal (Information Rights) has had a busy start to 2012, with 7 decisions on its website already.

The first judgment out was Herbert v ICO and West Dorset District Council, EA/2011/0157. The appellant sought correspondence concerning the transfer to the Council of property previously owned by Lyme Regis Borough Council. The Council refused the request on ground that it was vexatious. The history of this case related to incidents and disputes regarding a different matter, between the appellant and the Council dating back to 1992, which culminated in 1996 when the Council revoked a license held by the appellant. The ICO agreed that the request was vexatious. The appellant submitted that he had a genuine interest in the history of Lyme Regis and that he believed that some historical documents were missing from the National Archives and that they had been retained by the Council because they related to illegally acquired property. The Council had previously allowed him to research their archives on another matter and he wished to be able to do so again to look for these missing documents. He said that he had expected the ICO to contact him so that he could put forward further arguments. The FTT agreed with the ICO and the Council that the request had been made under FOIA (and not the EIRs). The FTT set out the key principles that have been applied by Tribunals in considering whether requests were vexatious under s14 FOIA. The FTT considered the background and found that the appellant’s request was obsessive. Further, the request had the effect of harassing the Council (even though the language was not hostile), as allegations of illegality and impropriety were made at the same time as the requests and there was a context of a high volume of correspondence. The Council had made extraordinary efforts to accommodate the appellant’s requests over a considerable period of time and valuable resources of time and effort have been used which could otherwise have been used more productively. In the view of the FTT, to accommodate this request would constitute a further and significant burden on the Council. The FTT concluded that the request was vexatious.

The next decision to be promulgated was King v ICO, EA/2010/0126. The appellant sought from the ICO records of complaints where Crawley Borough Council had failed to comply with FOIA/EIRs and the ICO never served a ‘decision notice’. The ICO refused the request on ground that the information consisted of ‘third party information’ that was exempt from the requirements of disclosure. It did not identify the exemption relied on for refusing to disclose the information. However, it did provide the appellant with a summary of the information requested. Further information was provided by the ICO in response to the appellant’s request for a review of the decision. The appellant then asked for the information with just the personal details of individuals removed. The ICO refused, citing s.44 FOIA, as exempting information that is prohibited from disclosure under another Act, namely s.59 DPA (which prevents disclosure of information collected in the course of an investigation where there is no lawful authority to do so). The appellant requested review of this decision. In subsequent correspondence, the ICO relied on s.40 FOIA (the data protection exemption). The appellant then asked the ICO to make a decision under s.50 FOIA as to whether it had complied with the Act. Having previously been acting in its capacity as a body which was itself subject to FOIA, the ICO then changed back to its normal hat. The ICO said that it was reversing its decision and it provided the appellant with the letters which had been sent to the Council in the cases alleging non-compliance with FOIA, with personal data redacted. The appellant disputed that this resolved his request; he also wanted the documents from the individuals making complaints and from the Council. The ICO denied that these had been within the scope of his original request. The ICO subsequently issued a decision notice stating that it had provided the appellant with the information requested, but that it had breached FOIA (including by not holding an internal review at the right stage, by not providing the information at the outcome of the internal review and by not acting within the time-scales in the Act). The appellant appealed, arguing that the ICO had not provided all information which fell within the scope of his request, had misinterpreted his request and had breached the duty to provide advice and assistance. In relation to the scope of the request, the FTT criticised the ICO for not having properly analysed the request but found that in fact it had provided all information that fell within the scope of the request. The appeal therefore failed. The FTT also found that the ICO was not in breach of the duty to provide advice and assistance; the appellant argued that the ICO should have asked him to clarify his request, but the FTT found that this was not necessary because the request was in any event clear and adequately specified the information sought. This case very much turned on its facts, but it is interesting to see the application of FOIA to the ICO as a public authority and it is also a useful reminder to carefully read the request from the outset.

The third decision out in 2012 was Newcastle Upon Tyne Hospital NHS Foundation Trust v ICO, EA/2011/0236. This appeal was struck out because the judge considered that there was no reasonable prospect of it succeeding. The disputed information was statistics about the number of people dismissed over a three year period. The Trust refused to provide the information, on ground that it was reasonably accessible (s.21 FOIA) by way of an application in the employment tribunal litigation. The Trust subsequently provided the information voluntarily. The ICO found that the Trust had misapplied s.21 FOIA. The Trust appealed, arguing that “The point at issue is one of prioritising the correct forum by which information is provided. The Trust point is that once proceedings are issued, the correct forum lies within the proceedings that have been issued, in this case the Employment Tribunal“. Not surprisingly, the judge found that this argument had no reasonable prospect of success. FOIA rights are not put on hold if there is litigation between the parties. Further, information obtained under FOIA can be used for any purpose whereas information obtained in litigation can only be used for that purpose and so litigation disclosure is not an answer.

Cross v ICO, EA/2011/025 is also a strike out decision. The appellant sought from Havant Borough Council a building control decision notice, plans and inspection records relating to a loft conversion to his home carried out in 1987. The Council refused the request under the EIRs, on ground that it was not held at the time of receipt of the request. The appellant believed that he had seen these documents on a visit to the Council and that, whilst it was possible that they had subsequently disappeared, his appeal should not be struck out. However, the Council had conducted a six day trawl for the information and the judge found that it was obviously willing to provide the information if it could be found. The appeal was therefore struck out as having no reasonable prospect of success.

Finally, in Martyres v ICO and NHS Cambridgeshire, EA/2011/020, the FTT dismissed an appeal by an appellant who sought all information held by NHS Cambridgeshire (and its relevant community services provider), in respect of her deceased mother who had died on 29 August 2009 including information about the care received by her mother at a care home she was staying at prior to her death. The appellant argued that she was the next of kin, proposed executor and trustee of one of the Wills and had a valid claim against her mother’s estate under the intestacy rules. In relation to s.41 (FOIA), the FTT found that the information was obtained from another person (social care professionals), it possessed the necessary quality of confidence and disclosure would constitute such an actionable breach of confidence. The FTT further concluded that s.21 FOIA did not apply, in that the appellant would not have been able to obtain the disputed information under the Access to Health Record Act 1980 (as the appellant claimed); whilst she was the nearest relative, she was not the personal representative. The FTT also dismissed the appellant’s arguments under the Human Rights Act 1998.

Rachel Kamm

LATE RELIANCE ON EIR EXEMPTIONS AS OF RIGHT

Posted on 2nd January 2012 | by Rachel Kamm

Readers will recall that the Upper Tribunal decided in early 2011 that public authorities are entitled as of right to rely on any exception / exemption under either the Freedom of Information Act 2000 or the Environmental Information Regulations 2004 at any stage of the proceedings.

In that case, the Upper Tribunal considered two appeals together. The first was an appeal brought by DEFRA, challenging the Tribunal’s decision that it could not now seek to rely on additional exemptions under the EIRs and that it was limited to the exemption that it had relied on at the time of its refusal to disclose environmental information to Mr Birkett (the founder of the cross-party Campaign for Clean Air in London). The second was an appeal brought by the Information Commissioner, challenging the Tribunal’s decision that the Home Office was entitled as of right to rely on new exemptions under FOIA. At the hearing of the appeals before the Upper Tribunal, DEFRA submitted that it was entitled as of right to rely on the new exceptions/exemptions, Mr Birkett said that a public authority could not lawfully rely on new exceptions/exemptions before the Commissioner and the Tribunal, and the Commissioner adopted a middle course (namely that while there was no right to rely on new exceptions/exemptions, a public authority could be permitted to do so at the discretion of either the Commissioner or the Tribunal). The Upper Tribunal agreed with the public authorities that they could rely on a new exception/exemption at any time under either FOIA or the EIRs.

Mr Birkett appealed against this decision about the EIRs to the Court of Appeal: Birkett v The Department for the Environment, Food and Rural Affairs [2011] EWCA Civ 1606.

Lord Justice Sullivan (with whose judgment Lord Justices Lloyd and Carnworth agreed) started by considering the Aarhus Convention on Access to Information, Public Participation in Decision Making and Access to Justice in Environmental Matters. The Council Directive 2003/4/EC on public access to environmental information implements the Aarhus Convention and is itself implemented in domestic law by the EIRs. Mr Birkett argued that it was necessary to interpret the Directive (and in turn the EIRs) as preventing a public authority from relying on a new or different exemption after the internal review stage; otherwise the complainant would not have an effective remedy because they would not know the reasons for the public authority’s refusal of their request for information.

Lord Justice Sullivan rejected Mr Birkett’s argument. He took into account that the Directive does not proceed upon “the unlikely premise” that within the prescribed “tight timescale the public authority will always “get it right the first time”, hence the review process provided for by Article 6. While some decisions may be relatively straightforward, the question whether some information, and if so how much of that information, falls within one or more of the exceptions may well be a question of some complexity. Are documents protected by legal advice or litigation privilege, are there intellectual property rights in certain information, etc.? The exceptions are concerned with important public interests.” (paragraph 21). He held that “The Court or other legal body conducting the review under Article 6(2) is not reviewing the decision made by the administrative reviewer under Article 6(1), it is reviewing “the acts or omissions of the public body concerned.” Thus, the court must consider de novo the propriety of releasing the information. Such a process is bound to discover errors and omissions in the exceptions relied upon in initial decisions, and it would be surprising, given the balancing exercise required by the Directive, if those errors were incapable of subsequent correction.” (paragraph 23).

Lord Justice Sullivan went on to give a hypothetical example of a public authority which mistakenly fails to rely in its refusal notification upon an adverse effect upon public security or national defence. Mr Birkett considered that this would happen rarely and that the solution was for the Commissioner / Tribunal to refuse to allow the public authority to rely on that exception / exemption late but to exercise its discretion to refuse to order disclosure of the information where that was necessary to avoid a breach of human rights (paragraphs 24 and 25).

Lord Justice Sullivan rejected Mr Birkett’s proposed solution. The public interests protected by the exemptions in the EIRs were not just human rights. Further, the Commissioner and the Tribunal were able to exercise effective judicial control, for example by requiring an appellant to set out his grounds at an early stage in the grounds of appeal. “Any application by the public authority to rely upon a new exception made after the time limit for its grounds of appeal/response would be subject to the Tribunal’s case management powers under rule 5; see also rules 22(4) and 23(5) which deal with the submission of notices of appeal and responses out of time.” (paragraph 28). He concluded that the public authority was entitled to rely as of right on new EIR exemptions in the notice of appeal to the Tribunal.

Note that there was no appeal from the Upper Tribunal’s decision in the Home Office case about FOIA, which remains good law. It is also noteworthy that the Commissioner chose not to participate in the appeal, which meant that the Court of Appeal did not hear submissions on the middle course which it had proposed to the Upper Tribunal in the Home Office case. Lord Justice Carnworth commented that “There would have been attractions in an alternative approach, which could have reconciled the need for urgency, implicit in the CJEU case-law, with the need for flexibility in the operation of the scheme” (paragraph 31).

As a result of this decision, the general rule is that public authorities can rely on any exception / exemption at any time under the EIRs or FOIA. However, note that there is still a different approach where the public authority seeks to rely on the cost exception in FOIA after its initial decision; see our post on this topic here.

Rachel Kamm

GOOGLE

Posted on 20th December 2011 | by James Goudie KC

Tugendhat J ended in his Judgment on 19 December 2011 in AB v Barristers Benevolent Association Ltd [2011] EWHC 3413 (QB) by saying: “This judgment may alert practitioners to the possibility that information stored on a cache by Google may take several days to have removed”.

The BBA provides support to barristers in many different circumstances, including by way of loans. AB is a barrister who sought a loan from the BBA about six or seven years ago. On 5 December 2011 it was brought to her attention that confidential correspondence between herself and the BBA was available on the internet. She conducted a search through Google and found the information herself.

On 6 and 7 December 2011 the judge on out of hours duty granted an injunction without notice to the BBA. The injunction was discharged because an injunction against the BBA was unnecessary. There was no dispute that the documents in question contained confidential information, and that its confidentiality should be preserved.

On 5 December AB had contacted the BBA. The official she spoke to was already aware of the problem. The BBA assured AB that the BBA’s IT consultant was addressing the issue as a matter of urgency.

The information remained accessible on Google throughout 6 December. The IT consultant said he was doing everything he could. He explained that the problem lay with Google, and that it might take some time for all their servers to be synchronised so as to remove the information from the caches. He explained he had been calling Google offices all over the world to try to get action, without success.

What had happened to give rise to this affair was explained by the IT consultant in a witness statement. In 2005 or 2006 his firm had been asked by the BBA to assist in removing data from one hard drive to a new one. The process was carried out by copying data to a temporary file, which should have been deleted, but was not. It was retained inadvertently on a server. At the time that did no harm, because the server was not publicly available. However a technical change by the firm’s broadband supplier O2 led to the server becoming available to Google to pick up the data without the firm knowing that that was happening.

On Friday 2 December 2011 the BBA became aware that the information was available through Google. The BBA immediately contacted the IT consultant and asked him to deal with it as a matter of extreme urgency. The IT consultant’s firm identified what had happened. He removed the source of information from its server and disconnected the server from the internet. All the data that had been inadvertently stored was deleted. He then contacted Google via the webmaster tools requesting the removal of the material from the Google cache. This is where the problem arose.

On 5 and 6 December the IT consultant made numerous further attempts to contact Google to have the information removed from the caches as a matter of urgency. According to his evidence, and the e-mails that he has exhibited, he could not have expressed himself more forcefully, or more urgently, but he received no prompt response from Google. It was not until 10 pm on Tuesday 6 December that he found some files had been removed by Google.

On the morning of 7 December the IT consultant discovered that there was still information that had not been removed from the caches. He contacted Google again on more than one occasion. It was not until Friday 9 December that Google had fully complied with his request to remove the information in its entirety.

Courting Disclosure under Section 32

Posted on 17th December 2011 | by Christopher Knight

The Institute of Chartered Accountants (“ICA”) has a policy of seeking the Certificate of Conviction of any of its members who have been found guilty of an offence which may relate to their appropriateness to act as a chartered accountant. However, the Courts Service (“HMCTS”) refused to confirm or deny holding an individual’s Certificate under section 32 FOIA because it was a document created by the court for the purpose of proceedings. A Certificate of Conviction is currently governed by section 73 of the Police and Criminal Evidence Act 1984, but has existed since the mid-nineteenth century. It acts as conclusive proof of conviction.

In ICAEW v IC & Ministry of Justice (EA/2011/0148, judgment of 8 December 2011) the Tribunal upheld the Commissioner’s decision notice that the HMCTS was not required to confirm or deny holding the information. The Tribunal followed the decision of the Court of Appeal in Kennedy v IC [2011] EWCA Civ 367 that the protection of section 32 was ongoing after the conclusion of proceedings, and that it could not logically matter whether the court created the document before or after the verdict because it was for the purpose of the proceedings. The ICA’s attempt to construe “proceedings” as excluding the issuing of a Certificate of Conviction was said to be “narrow and artificial” by the Tribunal: at [42].

The Tribunal also reiterated the section 32 jurisprudence that the purpose of the exemption is to ensure that the court can regulate access to its own files. Access to court records can be sought under the Civil Procedure Rules, but the Criminal Procedure Rules do not provide for access to a Certificate and the Tribunal considered this to be very relevant. A Certificate is not itself publicly accessible, even if the information it contains may be reported publicy elsewhere. (Section 32 being an absolute exemption, this fact provided the ICA with no assistance.)

There is not a large amount of case law on the application of section 32 – and my involvement on behalf of the Commissioner precludes analysis of the Tribunal’s judgment – but the ICAEW case does provide some helpful reiteration of the purpose and scope of the absolute exemption, stressing that access to court records is very much a matter for that court and is not to be circumvented by FOIA.

Christopher Knight

PRIVATE EMAILS AND TEXTS SUBJECT TO FOIA

Posted on 15th December 2011 | by Robin Hopkins

Following the emergence earlier this year that Department for Education officials had, apparently routinely, used personal email accounts for the conducting of official business, the ICO has considered this issue. It has today issued guidance that many FOI officers and lawyers will find notable, to say the least.

The key points:

FOIA applies to official information held in private email accounts when held on behalf of the public authority. So too text messages. This much is obvious from the definition of ‘held’ in s. 3 of FOIA. The question is exactly what this means, and what to do about it.
There will be occasions on which, having searched its own systems, the public authority will be expected to ask employees (or contractors etc) to search their personal email accounts/text messages for information described in a FOIA request.
The ICO expects such occasions to be ‘rare’. I think this means that the ICO will not expect the public authority to do so simply because a requester asks it to; something more will be required.
What is that ‘something more’? The ICO recommends public authorities look out for ‘relevant factors’ which may trigger the duty to ask.
These factors include the nature, wording and subject matter of the request.
They also include “how the issues to which the request relates have been handled within the public authority”. This may be another way of asking: is the public authority aware that this sort of thing has been going on?
Another relevant factor is “by whom and to whom the information was sent and in what capacity, e.g. public servant or political party member”. This is often a blurred line, one imagines. Not sure how this could be scrutinised (other than hacking into private systems, which is not nice, not fashionable and not legal).
Public authorities should establish procedures for dealing with such situations.
They should keep records of any private email account/text message searches they have requested.
Public authorities should remind staff that, where a request for information to which the requester would be entitled has been made, it is a criminal offence to erase or conceal that information with the intention of preventing disclosure (see s. 77 of FOIA).
‘Concealment’ would include denying that anything of an ‘official capacity’ nature is (or, at the time of the request, was) in one’s private email inbox or text message folder.
Public authorities should tell their employees not to use private channels for official business in the first place.

Panopticon understands from some of its friends in the media that requests aiming at exactly this sort of information were fired off this morning (or earlier this week, in anticipation of the new ICO line).

Meanwhile, a decision on the complaint against the Department for Education is in the pipeline.

Panopticon will be keeping its Benthamite eye on how these matters unfold.

Robin Hopkins

THE INFORMATION COMMISSIONER’S ROLE UNDER THE DPA

Posted on 13th December 2011 | by Rachel Kamm

An interesting issue about the scope of the DPA arose in The Law Society and others v Rick Kordowski [2011] EWHC 3185 (QB). The Law Society and a number of firms of solicitors sought an injunction requiring the Defendant, the publisher of the “Solicitors from Hell” website, to cease publication of the website in its entirety and to restrain him from publishing any similar website. The causes of action relied upon were libel, harassment under the Protection from Harassment Act 1997 and breach of the Data Protection Act 1998.

The Defendant was the data controller of personal data, including sensitive personal data (for example, allegations made by a third party on the Defendant’s website about the alleged commission of an offence by a solicitor). Mr Justice Tugendhat did not mince his words in finding that the Defendant was in breach of the DPA:

“In breach of the First Data Protection Principle the Defendant has not processed the personal data of the solicitors and other individuals named on the Website fairly and lawfully. The Defendant has processed the said personal data in a grossly unfair and unlawful way by, in particular, (a) publishing highly offensive defamatory allegations about these solicitors and other individuals on the Website; (b) pursuing a course of conduct against these solicitors and other individuals that amounts to harassment contrary to the PHA; (c) on numerous occasions refusing to remove the posting about a solicitor or other individual unless the Defendant is paid a fee. This is not permitted by law and is disreputable. (d) None of the conditions in Schedule 2 of the DPA 1998 is met by the Defendant in respect of the processing of the said personal data on the Website.

…In breach of the Fourth Data Protection Principle the personal and sensitive personal data about solicitors and other individuals processed by the Defendant and published on the Website is not accurate, indeed it is usually seriously inaccurate. The Claimants rely upon the following, amongst other matters: (a) The wholly inaccurate and untrue allegations processed and published by the Defendant via the Website about the Third Claimant; (b) The Schedule of Complaints which sets out and describes how the personal data of solicitors and other individuals processed and published by the Defendant via the Website is inaccurate. (c) The Defendant’s failed attempts to justify defamatory allegations in the many cases brought against him for libel in respect of the defamatory publications on the Website as evidence of inaccurate information; in breach of the Sixth Data Protection Principle the Defendant did (and does) not process personal data of the solicitors and other individuals who are Individual Complainants in accordance with their rights, as he has failed to comply with the request made in the Complaints’ solicitor’s letter dated 12 August 2011.

…on 12 August 2011 the Claimants’ solicitor gave the Defendant formal notice under section 10(1) of the DPA that the individual complainants, who include the Third Claimant, required the Defendant to cease the processing of their personal data (i.e. to remove the offending material from the Website and destroy any copies retained elsewhere) as the processing of this data was (and continues) causing them unwarranted damage and distress. Additionally, the Claimants’ solicitor required the Defendant to agree not to process any data in the manner complained of in the future. As a result of the Defendant’s failure to comply with the Notice, he has breached the Sixth Data Protection Principle. The Defendant did not state that he considered the notice to be unjustified (as he could have done under section 10(3)(b) of the DPA).”

Not surprisingly, given these findings, Mr Justice Tugendhat concluded that the Third Claimant was entitled to an order under section 10(4), requiring the Defendant to comply with the Notice. He went on to comment on the scope of the DPA and the Information Commissioner’s powers. The background was that the Chief Executive of the Law Society had written to the Information Commissioner to complain about the website. The Information Commissioner had responded that the DPA was not designed to deal with this kind of case. The Commissioner considered that it was “not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this“. He relied on section 36 DPA, which provides that “Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the Data Protection principles under provisions of Parts II [rights of data subjects and others] and III [Notification by data controllers]”. The Commissioner also highlighted the practical difficulties of trying to use the DPA to regulate material posted on websites.

Mr Justice Tugendhat expressed considerable sympathy with the Commissioner’s comments about the practical difficulties in cases such as this. However, his starting point was that the offensive comments on the website in question were unlawful and that the DPA required that data be processed lawfully. He did not see how the exemption in section 36 DPA could apply in this case. Mr Justice Tugendhat commented that had the Defendant been publishing information in the public interest on his website, he could have relied on the exemption relating to journalism in section 32 DPA. Further, the fact that a claimant may have claims under common law torts or the Human Rights Act 1998, did not prevent enforcement under the DPA. He concluded by commenting that where there is any room for argument as to whether processing is unlawful under the general law, it may be more appropriate that a complainant should be required to pursue his remedy in the courts and further that there be many grounds on which the Commissioner may properly decline to exercise his powers under Part V DPA. However, where there is no room for argument that processing is unlawful, it was more difficult to say that the matter was not one which could be dealt with under Part V DPA. This ruling potentially has significant implications for the Commissioner in practice.

Rachel Kamm

WordPress + Bootstrap