Disclosing Disciplinary Records Under FOIA

Posted on | by Anya Proops KC

The Information Tribunal has recently handed down a decision in which it upheld the Commissioner’s conclusion that information as to judges’ serious misconduct was exempt from disclosure under the personal data exemption provided for under s. 40(2)(c) FOIA – Guardian Newspapers v IC (EA/2008/0084). The decision is interesting not least because it highlights the Tribunal’s continuing reluctance to treat personal data concerning disciplinary matters as being disclosable under FOIA (see further on this point the earlier cases of Waugh v IC & Doncaster College (EA/2007/0060) and Roger Salmon v IC & King’s College (EA/2007/0135)). Notably, the Tribunal also held that the information in question was exempt under s. 31(1)(c) FOIA (administration of justice exemption).

The central issue in the appeal was whether disclosure of the information would contravene the first data protection principle (DPP1) contained in Schedule 1 to the Data Protection Act 1998 (DPA) and, hence, render the information absolutely exempt from disclosure under s. 40(2)(c) FOIA. The Tribunal held that DPP1 would be contravened. In reaching this conclusion, the Tribunal took into account in particular the facts that:

·         the DPA contained an exclusion which prevented judicial office holders themselves gaining access to data which revealed assessments of their ‘suitability to hold judicial office’ and it would be an odd result if third parties could access such data under FOIA but the data subjects themselves could not (para. 91);

 

·         some of the information would amount to sensitive personal data which would require that one of the stringent conditions contained in Schedule 3 be met in order for the disclosure to be in accordance with DPP1 (para. 92);

 

·         some information was already in the public domain as to the fact and scope of reprimands  or serious actions (para. 93);

 

·         the judges themselves would have a reasonable expectation that their disciplinary record would be kept confidential (para. 96);

 

·         there would a risk that judges would suffer great distress if the information were to be disclosed and, further, that their future authority and their future employment prospects would be jeopardised (para. 97).

 

In addition the Tribunal held that s. 31(1)(c) FOIA was engaged in respect of the information and that the public interest weighed in favour of maintaining that exemption. In reaching this conclusion, the Tribunal took into account in particular the fact that, in its view, disclosure of the information would undermine a judge’s authority while carrying out his or her judicial function and would otherwise disrupt the judicial process by encouraging legal representatives to seek adjournments by reason of alleged concerns about the judge’s good standing (para. 106). 11KBW’s Karen Steyn appeared on behalf of the Ministry of Justice.

The End of the Control Orders Regime?

Posted on | by Anya Proops KC

The House of Lords has today handed down an important judgment on the rights of individuals who are subject to control orders (“controlees”) to access information which has been relied upon by the Home Office as justifying the imposition of the orders – Secretary of State for the Home Department v AF & Ors [2009] UKHL 28. The judgment was concerned, in particular, with whether the process by which the courts supervise the application of control orders under section 3(10) of the Prevention of Terrorism Act 2005 was compliant with the controlee’s rights under Article 5(4) (right to take proceedings to determine lawfulness of detention) and Article 6 (right to a fair trial). That judicial supervision process had historically operated so as to a create a situation where the Secretary of State could put before the court information relating to the imposition of the control order but the controlee would not himself be able to access that information. The justification for operating the process in this way was that there would be cases where disclosing the particular information to the controlee would itself be contrary to the public interest, particularly by reason of the risks to national security posed by the disclosure.

 

The House of Lords has now held that denying the controlee access to information which is relied upon by the Secretary of State in the context of the section 3(10) process is incompatible with the controlee’s rights under Article 5(4) and 6. In reaching this conclusion, the House of Lords clearly considered themselves to be bound by a recent judgment of the ECtHR in A and Others v United Kingdom (Application No 3455/05 – cf. the earlier judgment of the House of Lords in Secretary of State for the Home Department v MB and AF [2007] UKHL 46; [2008] AC 440 which was decided before the A case). The result of their Lordship’s judgment is that section 3(10) must now be read down so as to produce a result whereby controlees are entitled to access information relied upon by the Secretary of State in the course of the judicial process. In light of the judgment, there must be serious questions as to whether the control orders regime can continue to operate, at least in its existing form. 11KBW’s Cecilia Ivimy appeared on behalf of the Secretary of State for the Home Office. Michael Supperstone QC appeared as a Special Advocate.

Lock up your data

Posted on | by Timothy Pitt-Payne KC

The importance of ensuring the security of personal data has been highlighted in a recent press release from the ICO dated 4 June 2009. The ICO has found Salford Royal NHS Foundation Trust in breach of the Data Protection Act, after a desktop computer containing sensitive personal information relating to around 3,500 patients was stolen. Although the computer was password protected, it was not encrypted or secured to a desk.

A formal undertaking has been signed by the Trust. It will ensure that: appropriate security measures are in place to restrict access to areas where personal information is stored; desktop computers are secured to desks to prevent easy removal; any personal data required to be held on a portable device is suitably encrypted; and personal details are not retained on any computer for longer than is required.

Mick Gorrill, Assistant Information Commissioner at the ICO, emphasised that the worrying trend of personal data losses must be rectified. He said:

“I am increasingly concerned about the way some NHS organisations are failing to securely hold people’s health and personal information. Organisations must implement appropriate safeguards to ensure personal details about patients do not fall into the wrong hands.”

Many thanks to Andrew Smith, currently a pupil at 11KBW, for preparing a first draft of this post.

Doing it by the book

Posted on | by Timothy Pitt-Payne KC

The Information Commissioner’s Office has today announced the latest version of the Privacy Impact Assessment Handbook.  As the title indicates, its purpose is to help organisations to identify and address the privacy risks of their activities.

Following the HMRC data breach in November 2007, the Cabinet Office introduced a requiring for all central Government departments and their agencies to conduct Privacy Impact Assessments (PIAs) when developing new systems. The ICO encourages all organisations to incorporate data protection safeguards into any new project involving personal information.

The handbook is in two parts: Part I (the first two chapters) gives an overview of the PIA process, with detailed information about privacy, common risks, and possible solutions; Part II  then gives a practical guide to conducing a PIA.  There are also four appendices, with examples of screening questions, checklist templates, and privacy strategies.

The handbook should help organisations to make reasoned judgments about the privacy implications of new projects or technological innovations. Some of the recommendations may overlap with privacy work already being done by organisations. A PIA does not have to be conducted as a totally separate exercise; indeed, it may be helpful to look at privacy issues in a broader policy context.

Many thanks to Andrew Smith, currently a pupil at 11KBW, for researching this post and preparing a first draft.

 

11KBW Information Law Seminar

Posted on | by Panopticon Blog

11KBW last night hosted a successful and well-attended information law seminar. The seminar was chaired by James Goudie QC and papers were presented by Tim Pitt Payne and Anya Proops. Tim presented a paper which considered issues of surveillance and employee banning lists and vetting (‘The Surveillance Society In and Out of the Workplace’). Anya presented a paper on recent FOIA developments (‘Recent FOIA Developments: Parliamentary Crises, Ministerial Vetoes and Beyond’). 11KBW would like to thank all those who took the time to attend. If you are legal practitioner and are interested in attending future 11KBW information law seminars, please contact our Head of Marketing, Lucy Miller (lucy.miller@11kbw.com; 0207 632-8500).

High Court Judgment on Inspection of Personal Data

Posted on | by Anya Proops KC

The High Court has recently handed down an interesting judgment on the extent to which redacted personal data contained in documents disclosed in the course of litigation was vulnerable to inspection. The judgment also highlights some of the limits which may be placed on parties seeking inspection of databases containing personal data. In Webster & Ors v Ridgeway Foundation School Governors [2009] EWHC 1140 (QB), the claimants had brought claims against the governors of a school on the basis that they had suffered racially motivated assaults on school property. They alleged that the governors had caused or contributed to the injury by negligently failing to maintain proper disciplinary standards or otherwise taking proper care with respect to pupil security, particularly by allowing racial tensions to develop. During the course of standard disclosure, the governors disclosed a log of investigations into racist incidents, bullying and aggression in the school. Moreover, one of their witness statements disclosed the existence of a computerized system used to record pupil behaviour. The governors allowed inspection of the disclosed documents but redacted the names of purported victims of racism, bullying and aggression. The claimants sought disclosure of the redacted names and, further, of the computerized system. They argued that they needed to access this information in order to assess whether there were other pupils who might be able to provide useful evidence and that they had a right to inspect that information given that its existence had been disclosed by the governors.

Nicol J refused the claimants’ application for inspection of the redacted information and the computerized system. He held that that the mere fact that a document had been disclosed did not mean that there was an automatic right of inspection in respect of all of the information it contained, not least this was because some of the information in the disclosed document may not be relevant to the matters in issue. On the facts of the instant case, Nicol J found that inspection of the redacted names could and should be refused on the basis that: (a) it would amount to an interference with the privacy rights of the individual children named in the documents; and (b) that interference was not necessary in the instant case as the claimants did not need to know the identities of the purported victims in order to have a fair trial or for the fair disposal of the litigation (Science Research Council v Nasse [1980] AC 1028 HL applied). With respect to the computerized system, Nicol J accepted that mention of a document in a witness statement could be equated with inclusion of a document in a disclosure list and, hence, prima facie it would give rise to an obligation to permit inspection. However, he also held that that general proposition was subject to the qualifications contained in CPR 31.3, which included the right to object to disclosure on grounds of proportionality. Nicol J went on to find that permitting inspection of the computerized database would be disproportionate, particularly because: (a) the governors would have to redact the entire database to ensure that any private information relating to individual pupils and, further, any irrelevant information was not disclosed, which was a very substantial task and (b) undertaking this task was disproportionate having regard to any possible benefit for the claimants and the issues in the case.