The papers from this week’s Information Law seminar are now on the 11KBW website here and here. Many thanks to all of those who attended. Thanks also to UK Human Rights Blog for reposting my post yesterday about the Protection of Freedoms Bill, and to those who have commented on Twitter about the seminar (searchable under #11kbw).
PROTECTION OF FREEDOMS BILL – A NEW DAWN FOR PRIVACY?
This post is an extract from my presentation at 11KBW’s Information Law seminar last night.
The Coalition Government’s Programme for Government, launched on 20th May 2010, made a number of commitments relating to information law, including issues about privacy and data protection. It also stated that the Government would introduce a Freedom Bill. On Friday last week (11th February) the Protection of Freedoms Bill was duly published, with lengthy explanatory notes stating that it implemented 12 specific commitments in the Programme for Government.
As well as extending the Freedom of Information Act (“FOIA”) and giving effect to the hitherto mysterious “right to data” promised in the Programme for Government, the Bill addresses a number of other information law issues:
(i) the taking and retention of DNA samples and profiles and other biometric data;
(ii) use of biometric data in schools;
(iii) regulation of CCTV and other surveillance camera technology;
(iv) the use of RIPA by local authorities;
(v) the employment vetting system, in particular the role of the ISA and the system of CRB checks;
(vi) the retention of information regarding convictions or cautions for offences involving consensual gay sex with a person aged 16 or over; and
(vii) the appointment and tenure of the Information Commissioner.
On the face of it the Bill appears to be a privacy-friendly piece of legislation, with a number of provisions that reduce the amount of information held by public authorities or that limit various manifestations of the “surveillance society”. However, the approach has its limitations.
First, the Bill is something of a rag-bag. For instance, why has the use of biometric technology in schools been singled out for attention? Is there actually any evidence that the existing DPA framework has not been coping with this adequately? There is little evidence in the Bill of a comprehensive attempt to think through issues about privacy: the impression is more of an attempt to address specific issues that have caused public controversy (e.g. employment vetting), created legal problems in Strasbourg (e.g. DNA retention), or otherwise caught the eye of politicians. Contrast the approach in New Zealand, for instance, where the Law Commission is conducting a comprehensive review of the law of privacy.
A second, related point is that the regulatory framework in this area is becoming increasingly fragmented. The Information Commissioner is responsible for the DPA. Other regulators deal with different aspects of privacy. The Office of the Surveillance Commissioners oversees the use of covert surveillance and covert human intelligence sources. The Interception of Communications Commissioner reviews the interception of communications, the acquisition of communications data and related issues. The Equality and Human Rights Commission also has a role to play in relation to article 8 of the Convention. Now in addition we are to have a Commissioner for the Retention and Use of Biometric Material and a Surveillance Camera Commissioner. A less scattergun and more considered approach to reform in this area might begin by looking at whether the time has come to introduce a Privacy Commissioner (perhaps by expansion of the existing ICO) to bring all of these various functions under a single roof. See here for discussion along similar lines.
A third point is that the Bill is very much focused on the activities of the public sector as a potential threat to privacy. For instance, the focus is on public sector rather than private operators of CCTV systems. There is nothing that reflects contemporary debates about the use of personal information by credit reference agencies or social networking sites.
PERSONAL DATA OF WHISTLEBLOWING CIVIL SERVANTS: REDACTION AND FAIRNESS
Those considering the disclosure of personal data in a civil service context will wish to pay close attention to last week’s decision in Dun v IC and National Audit Office (EA/2010/0060). This is the latest Tribunal exercise in forensic scrutiny of fairness under the “personal information” exemption at section 40 (applied in tandem with the first data protection principle under the DPA).
The disputed information concerned the NAO’s enquiry into the Foreign & Commonwealth Office’s handling of employee grievances of a whistleblowing variety, i.e. those in which the employee had raised concerns as to “the proper conduct of public interest, fraud, value for money and corruption in relation to the provision of centrally-funded public services”. The request for information was triggered by the FCO’s inadvertent publication on its intranet of a “track changes” version of the draft report sent to it by the NAO: this tended to suggest that the FCO had sought not only to correct points of fact in that draft report, but also to influence its conclusions.
Unfairness of grievance and investigation information was pleaded based largely on the expectations of the complainants that their personal data would not be disclosed, and on the distress of their potentially being perceived as “trouble makers”.
A number of categories of arguably personal data were examined: junior civil servants’ names (outcome: don’t disclose), junior civil servants’ roles or job titles (outcome: disclose), contact details (outcome: don’t disclose, except for that part of an email address containing the name of a person whose name was otherwise to be disclosed), details of complaints and criticisms of employees (outcome: disclose in sufficiently redacted form).
The issue of redaction turned on whether disclosure in redacted form would preserve anonymity or achieve fairness – the NAO and IC had said no, but the Tribunal disagreed. It found that disclosure of whistleblowing case information in redacted form would be fair where (i) only those involved would be able to identify the persons being referred to, and (ii) those involved would not learn anything from the disclosed material which they did not know already.
This case is another instance of the established position that disclosure of the names of senior civil servants (here Grade 5 or above) will generally be fair, whereas those of their more junior colleagues would not. A note of caution here, however: the Tribunal was clear that no blanket policy should apply, and that fairness depends on the particular responsibilities and information with which the case is concerned.
One interesting aside: what of a civil servant who was junior at the time the information was created, but has since been promoted? Generally, subsequent events should not make a difference, but not necessarily: the Tribunal observed that it could “envisage a scenario where it is fair to disclose an earlier document in order to refute protestations of ignorance from the same individual who later becomes more senior and accountable”.
ENHANCED CRB CHECKS – YET AGAIN
The system of CRB checks (established under Part V of the Police Act 1997) is currently under review: for the review’s terms of reference, see here. At present, where an enhanced CRB check is carried out it is for the police to decide whether there is any non-conviction information that ought to be included in the enhanced CRB certificate: for instance, information about acquittals, or about allegations that have never been tested at a criminal trial. The legal principles governing this exercise – in particular, the relevance of Article 8 of the Convention – were extensively discussed by the Supreme Court in R (L) v Commissioner of Police of the Metropolis [2009] UKSC 3.
The recent decision of the Court of Appeal in Desmond v Chief Constable of Nottinghamshire Police [2011] EWCA Civ 3 raises a different issue: for the purposes of the law of negligence, do the police owe a duty of care to the individual who is the subject of the certificate? The Court of Appeal holds that they do not.
In Desmond, the claimant’s case (put very shortly) was that adverse information about him had been included in an enhanced CRB check; that the information disclosed was misleading; and that the decision to disclose could not be justified on the basis of the material available to the police, and had been reached without making proper enquiries. He brought a claim against the relevant Chief Constable, alleging (inter alia) breach of Article 8, breach of the Data Protection Act 1998, and negligence.
The claim in negligence was struck out, but this decision was partly reversed on appeal by Wyn Williams J, whose judgment is at [2009] EWHC 2362 (QB). On further appeal, the Court of Appeal restored the original decision to strike out the negligence claim in full. There was no proper basis for concluding that the chief officer was to be taken to have assumed responsibility to Mr. Desmond; the structure and purpose of the relevant legislation strongly suggested that there should be no duty of care; there was no case which persuaded the Court of Appeal, by analogy, that a duty of care should be imposed; and the existence of various other remedies that Mr. Desmond could pursue also supported the conclusion that no duty of care was owed.
The Court of Appeal also states that Article 8 of the Convention is likely to be applicable in every case where non-conviction information is disclosed as part of an enhanced CRB certificate, and that a breach of Article 8 would give rise to a potential damages claim under section 8 of the Human Rights Act 1998: see paragraph 9 of the judgment. It appears from the Court of Appeal’s judgment that Mr. Desmond’s Article 8 claim still continues, as does his claim under the Data Protection Act 1998.
COMMERCIAL INFORMATION AND HUMAN RIGHTS – NEW TRIBUNAL DECISION
Last month I blogged on a recent Tribunal decision which considered whether, following Veolia v Nottinghamshire CC [2010] EWCA 1214 (“Veolia”), human rights considerations had a role to play in FOIA/EIR cases involving the potential disclosure of confidential commercial information – see my post on the decision in Staffordshire CC v IC & Sibelco here. This month the Tribunal has promulgated another decision on the issue: see Nottinghamshire CC v IC & Veolia & UK Coal Mining Ltd (EA/2010/0142). The Notts case was concerned with a request for disclosure of particular information contained in a waste management contract between the council and Veolia. The particular information in dispute before the Tribunal was information contained in a schedule to that contract. In essence, the schedule detailed the leasing arrangements under which the council had an option to lease certain land from UKCM. The intention was that, once the leasing option was exercised by the council, Veolia would take a sub-lease of the land and then would build and maintain an incinerator on the land for the purposes of discharging its waste management obligations under the contract.
Contrary to the position adopted by the Commissioner, the Tribunal took the view that, despite the fact that it formed part of an overarching waste management contract, the information in the schedule did not in itself amount to environmental information (i.e. as it was simply information relating to prospective commercial leasing arrangements); accordingly, disclosure of the disputed information fell to be considered under FOIA rather than EIR. The applicable FOIA exemption was the commercial interests exemption (s. 43).
The Tribunal went on in its decision to comment on the application of human rights principles to the appeal, those principles having been considered by the Court of Appeal in the Veolia case. In essence, the Tribunal appears to have held that: (a) following Veolia, valuable commercial information could constitute a ‘possession’ of UKCM under Article 1 of Protocol 1 ECHR; (b) that, if the disputed information amounted to a ‘possession’, then UKMC had a right to privacy in respect of that information under Article 8(1) ECHR and, accordingly (c) disclosure under FOIA of that information would only be lawful if it was justified for the purposes of Article 8(2) ECHR. However, having reached these conclusions, the Tribunal appears to have taken the view that in fact these human rights considerations did not add very much to the overall analysis under FOIA, particularly as the requirements of the Article 8(2) justification test were already effectively reflected in the public interest balancing exercise which was built into s. 2 FOIA (see para. 74 of the decision).
It remains to be seen whether those with an interest in avoiding disclosure of commercially sensitive information will seek to argue in other cases before the tribunal that human rights considerations do in fact alter the analysis of the public interest balance under FOIA and, in particular, that they increase the weight in favour of maintaining the s. 43 exemption.
GOVERNMENT ANNOUNCES PLANS TO EXPAND THE FOIA EMPIRE
The Ministry of Justice has today unveiled plans to extend the scope of FOIA, including plans to expand the number and type of bodies which are subject to FOIA. New authorities falling within the ambit of FOIA will include the Association of Chief Police Officers, the Financial Services Ombudsman, UCAS and all companies wholly owned by more than one public authority. The MOJ also intends to consult on bringing a range of further bodies which are believed to perform public functions within the scope of FOIA, including for example: Examination Boards, Harbour Authorities, the Local Government Association and NHS Federation. The Bar Council and the Law Society are also apparently identified as possible candidates for inclusion. There are also plans to make most public records available at the National Archives after 20 years (rather than the current arrangements where access is not permitted until after 30 years). The Justice Minister Lord McNally has confirmed that the Government intends to carry out a ‘full review of the FOI Act to ensure it is still operating in the most effective way’. In practical terms, it is intended that inclusion of new authorities such as ACPO and the FS Ombudsman to FOIA will be achieved via a Freedom Bill to be introduced by February 2011. See further the MOJ’s Press Release here.