The GDPR is to become law in the UK

November 1st, 2016 by Anya Proops QC

So sayeth Secretary of State Karen Bradley MP in her evidence to the Culture, Media, and Sports Select Committee on Monday 24th October 2016. In fact, her precise words were: ‘We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public’ (see here). This statement has since been welcomed by Elizabeth Denham, as reflected on the ICO’s blog. Read more »


Whose Article 10 rights – the journalist or the confidential source?

October 24th, 2016 by Julian Blake

Does a media corporation breach a source’s article 10 rights by voluntarily disclosing their identity to the police? Is source confidentiality lost by criminal conduct? These are the questions that the Court of Appeal had to grapple with in the appeal against conviction brought by former prison officer Robert Norman.

Read more »


Environmental information: the exception for ‘proceedings of public authorities’

October 20th, 2016 by Robin Hopkins

The Environmental Information Regulations 2004 contain an exception from the duty to disclose information where disclosure would adversely affect “the confidentiality of the proceedings of that or any other public authority where such confidentiality is provided by law” (regulation 12(5)(d)). There is an equivalent provision in Directive 2003/4/EC. What is meant by the “proceedings” of a public authority? Read more »


Anonymous information, or personal data? Keys, chains and IP addresses

October 20th, 2016 by Robin Hopkins

If you work in data protection, I bet you love questions like this:

I have some information which looks anonymous – but is it nonetheless ‘personal data’? (If it is, it saddles me with plenty of otherwise inapplicable legal duties blah moan). The test is whether there is a realistic prospect of someone being identified, but how do I apply that test? How do I tell whether the risk of someone being identified from this apparently anonymous information is sufficiently high?

And I bet you especially love questions like this:

I have some information which is anonymous in my hands: it would be absolutely impossible for me to identify anyone from this information. But someone else could – there is someone else who has the key which can unlock the identities behind this apparently anonymous (or pseudonymised) data. What now? Is it personal data or not? Read more »


Ingenuous but not Ingenious: Confidentiality in the Supreme Court

October 20th, 2016 by Rupert Paines

In 2012 HMRC’s then Permanent Secretary for Tax, Dave Hartnett, had an ‘off the record’ (but audio-recorded) meeting with two Times financial journalists, intended as a background briefing on tax avoidance. One topic of discussion was film investment schemes, designed to utilise tax relief for film production partnerships. Mr Hartnett made a number of comments about one agency, Ingenious Media, and its founder Patrick McKenna, including that Mr McKenna had “never left [Mr Hartnett’s] radar”, that “he’s a big risk”, that HMRC “would like to recover lots of the tax relief” from Ingenious’ schemes and that “we’ll clean up on film schemes over the next few years”. Read more »


Compensation awarded for misuse of data processing powers

October 17th, 2016 by Robin Hopkins

In my post on the TLT case last week, I mentioned a second recent judgment awarding compensation for a DPA breach. This is the judgment of the Central London County Court (HHJ Luba QC) in Andrea Brown v Commissioner of Police for the Metropolis and Chief Constable of Greater Manchester Police (judgment available via Inforrm here).

Whereas TLT concerned a data breach (accidental public disclosure), Brown concerned the unfair use of policing powers to obtain information for an employment disciplinary matter. The Court awarded £9,000 in compensation, arising as follows. Read more »