Recent media reports suggest that the British Airline Pilots’ Association (Balpa), which represents more than 80% of commercial airline pilots, is considering a legal challenge to Home Office plans to use critical airside workers as the first compulsory guinea pigs in trials of the national identity card scheme. MPs are shortly to be asked to approve powers which could be used to compel pilots and other individuals who work airside to register for the national ID card scheme as part of their pre-employment checks. Balpa, which has been objecting to the proposed trial arrangements since late 2008, has raised concerns about the compulsory nature of the current proposed arrangements. It has also asserted that ID cards will have absolutely no value so far as security is concerned. Meanwhile, speculation that the Government may look to axe the ID card scheme in the wake of the economic downturn has been dampened by an announcement in early April 2009 that the Government had recently signed two ten year contracts worth £650 million to get the scheme under way.
GCHQ Denies Snooping Project
GCHQ, one of the three UK intelligence agencies, has issued a public statement in which it has specifically denied that it is developing technology which would enable it to access all internet traffic in the UK. The statement, which was made in response to weekend media reports on GCHQ’s Mastering the Internet Programme (MTI), is unusual in that the agency does not usually comment on media stories. The statement is plainly designed to reassure the public than the State is not secretly sanctioning the development of highly intrusive surveillance strategies. Its release follows in the wake of an announcement made by the Home Secretary on 27 April 2009 that the government had shelved plans to create a superdatabase that would centrally store all communications data in Britain (see the earlier post on the Super Database).
Police DNA Database Cut Down to Size
The Home Secretary, Jacqui Smith, will this week unveil plans to remove from the police national database DNA information relating to up to one million innocent people. The proposals come in the wake of the ECtHR’s judgment in Marper in December 2008 that the practice of retaining the DNA profiles of innocent people on the database constituted an unjustified interference with the Article 8 right to privacy. Privacy campaigners have welcomed this development but continue to lobby for further limitations on the database, including removing the DNA profiles for minor offenders. See further Tim Pitt-Payne’s article on the Marper judgment in the New Law Journal.
Recent conference papers
On 11 KBW’s main website, you can now find some conference papers delivered this month by members of chambers.
There’s a paper that I gave at a Northumbria University conference. The theme of the conference was information sharing; my paper is about the new law on breach of confidence (post-Campbell v MGN).
Yesterday, the LGG/11KBW legal update conference took place, with about 115 delegates. Karen Steyn gave a paper on recent case-law affecting local authorities; the first section is about information law. I gave a paper about employment vetting. In discussion, delegates were clearly very interested in getting to grips with the new ISA barring regime. Questions were raised about its implications for elected members of local authorities, and for volunteers (e.g. parents helping out in schools).
Another subject raised in discussion was the recent decision of the Administrative Court in R(G) v Governors of X School and Y City Council. A music assistant employed at a primary school was dismissed; the allegation was that he had formed an inappropriate relationship with a 15 year old boy who was on work experience at the school. The school’s disciplinary committee told the employee that they would be reporting the case to the Secretary of State for potential inclusion in “list 99” (i.e. the statutory list of those banned from working in schools). The Court quashed the decision because the school had refused to allow legal representation at the dismissal hearing or at a forthcoming appeal. The disciplinary proceedings, and the referral to the Secretary of State for a potential banning direction, formed part of one and the same proceedings. Those proceedings were not criminal in nature for the purpose of article 6 of the Convention. However, their potential consequences were grave; and procedural fairness required the claimant to be allowed legal representation, before both the school’s disciplinary committee and its appeal committee.
Super Database – Not so Super After All
The Home Secretary has this week announced that proposals to create a State run super database, which would track everyone’s use of email, internet and text messages, have been scrapped. The announcement is hardly surprising. It was always going to be difficult to persuade the public that such a database could be kept secure, particularly in light of recent high profile controversies about large scale losses of electronic personal data by government agencies. Moreover, allowing the State to develop such a vast single repository of electronic communications data was always going to raise questions as to whether the resulting interference with private rights was proportionate and was otherwise consistent with the State’s obligations under the Data Protection Act 1998. The Government has now issued a consultation paper on new plans to allow telecommunications companies to retain the communications data for a period of 12 months. See further the Home Secretary’s Ministerial Statement.
California court says don’t cry before you’re hurt
In November 2007 it was announced that HMRC had lost two CDs containing personal information about 25 million people. Since then there has been a steady stream of stories about data losses, mainly from the public sector.
The Data Protection Act 1998 requires appropriate measures to be taken against the accidental loss of personal data. Breach of this requirement can lead to enforcement action by the Information Commissioner. An individual whose data was lost could claim compensation from the data controller under section 13 of the Act, but only on proof of damage. If the individual had suffered identity fraud as a result of the breach then this would probably be sufficient. What if the individual argued that he was now at a higher risk of ID fraud, even though no fraud had yet taken place? Would this count as damage?
A US district court in California has recently considered a similar question. In Ruiz v Gap and Vangent a laptop was stolen containing unencrypted personal data of 750,000 Gap job applicants. In a class action, the plaintiff sued for negligence, contending that he and the other class members had suffered damage consisting of exposure to an increased risk of ID fraud. The Court granted summary judgment to the defendants and dismissed the claim. Speculative harm, or the threat of future harm, was not enough for a cause of action in negligence. The plaintiff relied on cases where recovery had been allowed for medical monitoring after negligent exposure to toxic substances; the court rejected the analogy. It also noted that Gap had informed those whose information was on the laptop, and had offered to provide them with 12 months of free credit monitoring. The plaintiff had not taken up this offer.
In policy terms it is questionable whether strengthening individual rights of action is the best way to deal with data loss. Of course, individuals who suffer direct financial loss – through ID fraud or otherwise – should be compensated. But in the Ruiz type of claim individual damages are likely to be modest. There is no great social benefit in spending a lot of time and money in order to provide a wide class of individuals with low-level compensation. Instead the focus should be on deterring breaches and avoiding recurrence. The Information Commissioner’s new power to fine for serious data protection breaches (DPA section 55A) is a step in the right direction, though not yet in force.
If the UK regulatory framework needs further strengthening then one option would be legislation requiring data controllers to notify affected individuals where information is lost or stolen. Last year the Thomas/Wolpert data sharing review recommended notification to the Information Commissioner as good practice, but not as a mandatory requirement. The Government agreed. Its response (see page 19) made clear that it had considered, and rejected, the possibility of a US-style law requiring notification of data breaches to the individuals affected.
Incidentally, I found the Ruiz case via the excellent blog maintained by InfoSecCompliance LLC, a US firm specialising in privacy, information law and data security. David Navetta is their founding member.