Late last year, Julian Wilson blogged about the Digital Economy Act 2010, and the judicial review challenge to its compliance with EU law – including data protection law. With those proceedings drawing near, I have written a thought piece for Practical Law on some of the related issues, available here.
ACPO TO BECOME SUBJECT TO FOIA WITHIN MONTHS
Earlier this year, we posted on the Deputy Prime Minister’s announcement that a number of bodies – including the Association of Chief Police Officers – would become subject to FOIA. In response to a question from Green MP Caroline Flint, the Justice Minister Nick Herbert has confirmed that an order would be placed before Parliament in the spring to implement this extension of FOIA to ACPO. It’s not clear if and when the same will be done for any other bodies mentioned in Mr Clegg’s speech, such as UCAS and the Financial Services Ombudsman.
LATEST DECISION NOTICE ON “EMISSIONS”
At the 11KBW Information Law seminar last week, I mentioned the imminent Tribunal decision in the GM Freeze case, which will consider how the term “emissions” is to be construed for EIR purposes. On a related note, readers may be interested to know that the ICO last week issued a decision notice requiring Ofcom to disclose information about electromagnetic radiation from ethernet power line adaptors, on the grounds that this fell within the definition of “information on emissions” under the EIR. Read the DN here.
NEW TRIBUNAL DECISION ON DISCLOSURE OF COUNCIL’S COMPROMISE AGREEMENT WITH EX-CEO
Those involved in requests for information about compromise agreements between public authorities and departing senior employees will wish to pay careful attention to the Tribunal’s very recent decision in Gibson v IC and Craven District Council (EA/2010/0095). In this case, the Tribunal ordered disclosure of information insofar as it related to the use of public funds; the remainder could be withheld on the basis of s. 40 FOIA. This provides an illuminating contrast with other s. 40 FOIA cases about compromise or severance agreements, such as Wilson v IC (EA/2009/0082) and Waugh v IC and Doncaster College (EA/2008/0038).
The Tribunal found that all information in the requested compromise agreement was personal data. It agreed that generally information on compromise agreements should not be disclosed – but, as ever, context is important. Here the case concerned a very senior employee; further, the Council’s ex-CEO left office with the Council finances “in disarray”, but the auditor had – ultimately – approved the settlement paid under the compromise agreement.
As to the lawfulness of disclosure, it observed that this term is not defined in the DPA, but “seems to mean that information may not be processed when the law does not allow it, as opposed to when two parties have entered into a voluntary agreement not to disclose the information”. In other words, a mere contractual agreement as to confidentiality does not suffice to render disclosure “unlawful”.
As to the fairness of disclosure, the Tribunal distinguished between information on the use of public funds and other information. It noted that compromise agreements are “personnel matters”, generally attracting a strong expectation of privacy. Although “personnel” information comes into existence as part of the employee’s professional (rather than personal) activities, some of it (such as pension contributions and tax arrangements) are “nevertheless inherently private and would attract a very strong expectation of privacy and protection from the public gaze”.
Again, expectations of confidentiality were not decisive on the question of fairness: the Tribunal did “not regard it as reasonable for the ex-CEO (or the council) to expect that certain information relating to the use of public funds, to be hidden from public gaze by virtue of a confidentiality clause agreed between them”. Nor was the Tribunal impressed by submissions that disclosure would have a substantial adverse impact on the ex-CEO’s employment prospects or personal life.
Ultimately, fairness and condition 6 from Schedule 2 DPA were determined in similar terms: the Tribunal found that “the legitimate interests of members of the public [in transparency] outweigh the prejudice to the rights, freedoms or legitimate interests of the ex-CEO only to the extent that the information concerns the use of public funds”.
DATA PROTECTION IN THE UK: CURRENT AND FUTURE CONCERNS
The British Medical Association has expressed concern this week about the Health and Social Care Bill – in particular, about its approach to data protection and the sharing of patients’ medical information. The Bill proposes a new “information standard” for the NHS which, according to the BMA, shows that “the Government has decided to place its desire for access to information over the need to respect patient confidentiality”. The new law would empower the Secretary of State to obtain such information as he considers it necessary to have; it would also widen the access to medical information by the NHS Commissioning Board, NHS Information Centre and local authorities. More detail on the proposed changes can be found in articles in the Daily Telegraph here, and the Guardian here.
The BMA wants to see the Bill amended: “so that it enshrines the need for explicit patient concent to any disclosure of information, unless the information has been properly anonymised or there is an overriding public interest.” The Department for Health, on the other hand, is confident that the proposals would preserve confidentiality and comply with the data protection law. Presumably, the Department means data protection law as implemented in the UK. At the 11KBW Information Law Seminar last week, I discussed the tension between the narrow approach to data protection that has prevailed under UK common law since Durant, and the considerably wider approach taken at a European level (and favoured domestically by the Information Commissioner).
On this subject, there is a very interesting report on Amberhawk this week, available here. This sets out in some detail the European Commission’s concerns about the UK’s apparently “bare minimum” approach to implementing its data protection obligations. It’s not yet clear what the Commission will do about this, but it appears to be only a matter of time before negotiation or confrontation on this issue comes to a head.
CONTRACTING OUT OF FOIA AND THE DPA?
Roy Greenslade has posted a very interesting piece this afternoon on his blog on the Guardian website about a purported instance of “contracting out” of FOIA and DPA rights. According to his piece, Cheshire West and Chester Council has signed a compromise agreement with a former employee in which he or she contracts not to make requests to the Council under FOIA or the DPA (the EIR is not mentioned). The Council is confident that these provisions are effective. The ICO takes the opposite view – I suspect it will not be alone in doing so. Click here to read the piece.