Disclosing child protection information: make sure you ask the right questions first

Posted on | by Robin Hopkins

High-profile revelations in recent years illustrate the importance of public authorities sharing information on individuals who are of concern in relation to child protection matters. When inaccurate information is shared, however, the consequences for the individual can be calamitous.

AB v Chief Constable of Hampshire Constabulary [2015] EWHC 1238 (Admin) is a recent High Court judgment (Jeremy Baker J) which explores the implications of such inaccurate disclosures. The case is not only about inaccuracies per se, but about why those inaccuracies were not picked up before the disclosure was made.

Perhaps the most notable point from the judgment is this: if such a disclosure is to be necessary, then the data controller must take care to ask themselves reasonable questions about that information, check it against other obvious sources, and make necessary enquiries before disclosure takes place.

In other words, failure to ask the right questions can lead to the wrong course of action in privacy terms. Here is how that principle played out in the AB case.

Background

In 2010, AB was summarily dismissed from his job as a science teacher for inappropriate comments and conduct with potential sexual undertones, as well as a failure to maintain an appropriately professional boundary with students. His appeal against dismissal failed. The Independent Safeguarding Authority, however, decided not to include AB on its barred lists. The General Teaching Council also investigated AB, but it did not find that the allegations of improper conduct were made out.

AB’s dismissal, however, came to the attention of a member of the child abuse investigation public protection unit of the Hampshire Constabulary. Enquiries were made of the college, and certain email correspondence and records were generated and retained on police systems.

Later the following year, AB was offered a teaching job elsewhere. This came to the police’s attention in 2013. There was internal discussion within the police about this. One officer said in an email that, among other things (i) AB had also been dismissed from another school, and (ii) AB’s 2010 dismissal had involved inappropriate touching between himself and pupils. There was no evidence that either of those points was true. That email concluded “From What I’ve been told he should be nowhere near female students. I will put an intel report in on [AB]”.

The above information was passed to the Local Authority Designated Officer (‘LADO’) and in turn to the school, who terminated AB’s employment. He then made a subject access request under the DPA, by which he learnt of the above communication, and also the source of that information, which was said to be a notebook containing a police officer’s notes from 2010 (which did not in fact record either (i) or (ii) above). AB complained of the disclosure and also of the relevant officer’s failures to follow the requisite safeguarding procedures. The police dismissed his complaint.

The Court’s judgment

AB sought judicial review of both the disclosure of the inaccurate email in the email, and of the dismissal of his complaint about the police officer’s conduct in his reporting of the matter.

The Court (Jeremy Baker J) granted the application on both issues. I focus here on the first, namely the lawfulness of the disclosure in terms of Article 8 ECHR.

Was the disclosure “in accordance with the law” for Article 8 purposes?

The Court considered the key authorities in this – by now quite well-developed – area of law (Article 8 in the context of disclosures by the police), notably:

MM v United Kingdom [2010] ECHR 1588 (the retention and disclosure of information relating to an individual by a public authority engages Article 8, and must therefore be justified under Article 8(2));

Tysiac v Poland (2007) 45 EHRR 42, where the ECtHR stressed the importance of procedural safeguards to protecting individuals’ Article 8 rights from unlawful interference by public bodies;

R v Chief Constable of North Wales Ex. Parte Thorpe [1999] QB 396: a decision about whether or not to disclose the identity of paedophiles to members of the public, is a highly sensitive one. “Disclosure should only be made when there is a pressing need for that disclosure”);

R (L) v Commissioner of Police for the Metropolis [2010] 1 AC 410: such cases are essentially about proportionality;

R (A) v Chief Constable of Kent [2013] EWCA Civ 1706: such a disclosure is often “in practice the end of any opportunity for the individual to be employed in an area for which an [Enhanced Criminal Record Certificate] is required. Balancing the risks of non-disclosure to the interests of the members of the vulnerable group against the right of the individual concerned to respect for his or her private life is a particularly sensitive and difficult exercise where the allegations have not been substantiated and are strongly denied”;

R (T) v Chief Constable of Greater Manchester Police & others [2015] AC 49 and R (Catt) v ACPO [2015] 2 WLR 664 on whether disclosures by police were in accordance with the law and proportionate.

The Court concluded that, in light of the above authorities, the disclosure made in AB’s case was “in accordance with the law”. It was made under the disclosure regime made up of: Part V of the Police Act 1997, the Home Office’s Statutory Disclosure Guidance on enhanced criminal records certificates, section 10 of the Children Act 2004 and the Data Protection Act 1998.

See Jeremy Baker J’s conclusion – and notes of caution – at [73]-[75]:

“73. In these circumstances it seems to me that not only does the common law empower the police to disclose relevant information to relevant parties, where it is necessary for one of these police purposes, but that the DPA 1998, together with the relevant statutory and administrative codes, provide a sufficiently clear, accessible and consistent set of rules, so as to prevent arbitrary or abusive interference with an individual’s Article 8 rights; such that the disclosure will be in accordance with law.

74. However, it will clearly be necessary in any case, and in particular in relation to a decision to disclose information to a third party, for the decision-maker to examine with care the context in which his/her decision is being made.

75. In the present case, although the disclosure of the information by the police was to a LADO in circumstances involving the safeguarding of children, it also took place in the context of the claimant’s employment. The relevance of this being, as DC Pain was clearly aware from the contents of his e-mail to PS Bennett dated 10th June 2013, that the disclosure of the information had the potential to adversely affect the continuation of the claimant’s employment at the school….”

Was the disclosure proportionate?

While the disclosure decision was in accordance with the law, this did not remove the need for the police carefully to consider whether disclosure was necessary and proportionate, particularly in light of the serious consequences of disclosure for AB’s employment.

The Court held that the disclosure failed these tests. The crucial factor was that if such information about AB was well founded, then it would have been contained in his Enhanced Criminal Record Certificate – and if it was not, this would have prompted enquiries about the cogency of the information (why, if it was correct, was such serious information omitted from the ECRC?) which would reasonably have been pursued to bottom the matter out before the disclosure was made. These questions had not been asked in this case. See [80]-[81]:

“… In these circumstances, it was in my judgment, a necessary procedural step for DC Pain to ascertain from the DBS unit as to, whether, and if so, what information it had already disclosed on any enhanced criminal record certificate, as clearly if the unit had already disclosed the information which DC Pain believed had been provided to him by the college, then it would not have been necessary for him to have made any further disclosure of that information.

81. If either DC Pain or PS Bennett had taken this basic procedural step, then not only would it have been immediately obvious that this information had not been provided to the school, but more importantly, in the context of this case, it would also have been obvious that further enquiries were required to be made: firstly as to why no such disclosure had been made by the DBS unit; and secondly, once it had been ascertained that the only information which was in the possession of the DBS unit was the exchange of e-mails on the defendant’s management system, as to the accuracy of the information with which DC Pain believed he had been provided by the college.”

Judicial reviews of disclosure decisions concerning personal data: the DPA as an alternative remedy?

Finally, the Court dealt with a submission that judicial review should not be granted as this case focused on what was essentially a data protection complaint, which could have been taken up with the ICO under the DPA (as was suggested in Lord Sumption’s comments in Catt). That submission was dismissed: AB had not simply ignored or overlooked that prospect, but had rather opted to pursue an alternative course of complaint; the DPA did not really help with the police conduct complaint, and the case raised important issues.

Robin Hopkins @hopkinsrobin

Mosley v Google: RIP

Posted on | by Anya Proops KC

So Max Mosley has done a deal with Google in respect of his claim that Google had breached his rights under the DPA 1998 by refusing to block certain images and videos accessible via the Google search engine (see this FT article which suggests that the settlement also applies to claims brought by Mr Mosley in Germany and France). The settlement of the claim, which follows on from Google’s failed strike out application (discussed further below), leaves unanswered a number of really important questions concerning the application of data protection rights in the online world. Not least, the settlement leaves open the question of the extent to which the so-called ‘right to be forgotten’ can operate so as to force internet search engines, not only to de-index individual URLs on request, but also to block access to the offending data globally (i.e. as ISEs already do, for example, where images of child pornography are identified).

This is an important issue for those data subjects who garner significant public attention within the online environment, as was the case with Mr Mosley. The difficulty for such individuals is that online stories or comments about them can proliferate on the internet at such a rate that they cannot practicably achieve the online amnesia they crave. No sooner have they requested that the relevant internet search engine remove a number of privacy-invasive links, than the story has sprung up in a raft of other different locations on the net, with the result that the individual is effectively left trying to capture lightening in a bottle. This raises the question as to whether a right to be forgotten mechanism which is limited to de-indexing only specific those URL’s identified by the data subject is fit for purpose in terms of achieving the outcomes envisaged by the CJEU in Google Spain. Put shortly, if the ISE is the lightening conductor for privacy intrusive data, can it properly be required to stop the lightening at its source and block all access to the data in question? Is this the way in which the right to be forgotten ultimately cashes out in the online world?

Which takes us on to the defences which Google sought to run in the Mosley case because, certainly in the context of the strike out application, Google was not seeking to argue that data in issue (images and video of Mr Mosley engaging in private sexual activity) was not private or that its online dissemination did not cause substantial damage or substantial distress to Mr Mosley for the purposes of s. 10. Nor did Google seek to dispute that the damage or distress suffered by Mr Mosley was ‘unwarranted’ for the purposes of s. 10(1). Instead, its entire case in the context of the strike out was mounted on the basis that it was shielded from all liability under the DPA by virtue of the protections afforded to intermediary ‘internet society services’ (ISSs) under Part IV of the E-Commerce Directive (Directive 2000/31/EC).

For the uninitiated, Part IV of the E-Commerce Directive is designed to afford protections to intermediary ISSs which are genuine data intermediaries in the sense that they merely transmit, cache (i.e. store) or host data generated by others. The idea which lies behind Part IV is that the development of electronic commerce within the information society, one of the key objectives of the E-Commerce Directive (see recital [2]), would be frustrated if entities acting essentially as online data messengers could too readily get shot by third party claimants. Thus, we see:

  • in Article 12 a limitation on liability where the ISS is acting as a mere conduit;
  • in Article 13 a limitation on liability where the ISS is merely caching the data;
  • in Article 14 a limitation on liability where the ISS is merely hosting the data (this was the provision invoked by Facebook in CG v Facebook, as to which see my post here) and, finally,
  • in Article 15 a specific exclusion of any general obligation on the part of the ISS to monitor content falling within the scope of Articles 12, 13 or 14.

Google’s case on the strike out was that it was not liable in respect of Mr Mosley’s claim under s. 10 DPA on the basis that: (a) it was merely caching the data in issue (thus Article 13 of the E-Commerce Directive was engaged) and, in any event (b) the order being sought by Mr Mosley would conflict with the requirement of Article 15 of the E-Commerce Directive, as it would result in Google having to engage in general monitoring of cached content.

Mitting J considered both of these arguments in the context of Google’s strike out application (see his judgment here). So far as Google’s case on Article 13 was concerned, Mitting J clearly took the view that, where an individual’s data protection rights are being infringed by virtue of an ISS’s continued processing of privacy-invasive data, there is nothing in Article 13 of the E-Commerce Directive which purports to limit the ISS’s liability to cease processing that data; quite the contrary Article 13(2) specifically leaves the door open to a cease processing order being made in these circumstances (see in particular [47]). This conclusion dovetailed with Mitting J’s more general (albeit provisional) conclusion that the Data Protection Directive and the E-Commerce Directive were intended to work ‘in harmony’ with one another (see [45]-46]). On the Article 15 defence, Mitting J was clearly sceptical about Google’s argument that the order being sought by Mr Mosley would result in the kind of general monitoring which was ostensibly prohibited by Article 15 [54]. However, he accepted that this was an issue which would have to be decided by the trial judge.

Of course, in light of the recent settlement, it is clear that that issues concerning Google’s Article 15 defence are now unfortunately not going to be decided by the trial judge. Which leaves us all pondering in particular the following important questions:

  • First, where right to be forgotten claims are formulated as claims to have data blocked by the relevant ISE, will such claims in practice effectively require a form of general monitoring by the ISE?
  • Second, if they do require a form of general monitoring, does that mean that the claims must fail by reference to Article 15 of the E-Commerce Directive or does Article 15 itself have to fall silent in the face of the imperatives of the data protection legislation? (Mitting J made clear in his judgment he was not expressing a view on this issue)
  • Third, what about claims for compensation brought against an ISE which refuses to block data? Do E-Commerce principles afforded ISEs a refuge against such claims? (Notably, Mitting J had stayed Mr Mosley’s compensation claim pending the outcome in Vidal-Hall so he did not address this issue).

It is perhaps worth pointing out here that no reference was made in Mitting J’s judgment to the EU Charter of Fundamental Rights (presumably because Charter rights were not specifically relied on in argument). Obviously in the post-Vidal-Hall world, Charter rights – including not least Article 8 (concerning the protection of personal data) – are bound to play a dominating role in discussions concerning the relationship between the E-Commerce Directive and data protection rights. Which all tends to suggest that this is an area which remains rich in litigation potential.

Finally, it should be pointed out that as at today’s date the various images which Mr Mosley was seeking suppress all appear still to be available online via Google. It remains to be seen whether in time these images will in fact quietly sink into the soup of online forgetfulness.

Anya Proops

Life for the CD Yet

Posted on | by Christopher Knight

Does anyone remember compact discs? Isn’t everything downloadable from iTunes, or Napster, or whatever it is that young people are using these days? Well, to the joy of crotchety old people everywhere, the court system still uses CDs. Indeed, the Upper Tribunal records hearings before it on CD, and when a litigant wants access to those recordings the Upper Tribunal may take the view that it is interests of justice to disclose it to them. (We are not yet at the thrilling stage of having Upper Tribunal hearings filmed and made available online, as in the Supreme Court. One cannot imagine why.)

So it was in the case of Mr Edem – he of ‘is a name personal data?’ fame – who did not approve of being given his recordings but under terms which did not permit him to more widely disclose them. Instead, he sought them under FOIA and was met with the fairly predictable reliance by the Ministry of Justice on the absolute exemption for court records in section 32(1)(c). Aha, said Mr Edem, but a CD is not a “document” within the meaning of section 32(1).

This may come as something of a surprise argument to anyone looking at the broad definition of information in section 84, the approach of the Court of Appeal in IPSA (see here), the Upper Tribunal decision in Peninsula Business Services v ICO & Ministry of Justice [2014] UKUT 284 (AAC), and indeed common sense. It is less of a surprise to see the argument fail in Edem v ICO & Ministry of Justice [2015] UKUT 210 (AAC).

Judge Wikeley had little difficulty in accepting that the purpose of section 32(1), to enable the courts to control access to their own files and records, indicates a broader interpretation of document than merely paper files, and the effect of the distinction that an audio record would not be caught but a transcript would be was patently not intended to be the outcome. In any event, a document is simply something which contains information. It does not determine the form or mode of container. Various cases from different contexts (including of course the Kennedy litigation under FOIA) gave support for the conclusion that “document” naturally includes an audio recording which contains relevant information. In so concluding, Judge Wikeley reached precisely the same conclusion as Judge Williams had done in Peninsula. The Upper Tribunal also dismissed the argument that simply because the use of “document” in section 25 (on national security certificates) must mean a written document because of the specific context of a certificate did not require the same interpretation generally: a written document is a document but the reverse is not true. The strike out of the appeal was upheld.

Rupert Paines appeared for the ICO; Rachel Kamm was for the MoJ.

Christopher Knight

Vexed by Vexatiousness? The Court of Appeal is Here to Help

Posted on | by Christopher Knight

The Court of Appeal has today handed down judgment in Dransfield v ICO & Devon County Council; Craven v ICO & Department for Energy and Climate Change [2015] EWCA Civ 454 (Dransfield Craven FINAL JUDGMENT 14 5 15. As people will recall, Dransfield is concerned only with section 14 FOIA, and Craven is concerned with whether the same approach should be adopted under the differently worded regulation 12(4)(b) EIR. For those desperately hoping it would not require completely relearning everything just as everyone was getting used to the Upper Tribunal decisions (on which see Robin’s lengthy screed here), a sigh of relief can be exhaled. Arden LJ gives the only substantive judgment (with which Gloster and Macur LJJ agree), which she helpfully summarises at [5]-[7] and which I set out in full so people with better things to do can stop reading:

5. The appeals raise different and difficult questions. In my judgment, for the detailed reasons given below, this court should dismiss each appeal.  

6. In Mr Dransfield’s case, the request, taken on its own, is a precise and politely-worded request. There is nothing on the face of this request which could be termed “vexatious”. Nonetheless the UT held that it was vexatious because of the past history of dealings between him and the authority. So the principal issue on his appeal is whether a request can treated as vexatious if it is not itself vexatious but previous requests have been. The FTT thought that the line had to be drawn at previous requests which “infected” the request under consideration (“the current request”). The UT rejected that test and held that there was no line to be drawn. Mr Dransfield seeks to uphold the test applied by the FTT. I do not accept this submission because it involves writing words into FOIA which the court may not do. The UT went on to formulate and apply guidance as to the meaning of “vexatious” which he has not challenged.

7. In Mrs Craven’s case, the principal question is whether the tests under section 14 FOIA and regulation 12(4)(b) have the same meaning (“the two-tests-one-meaning issue”). I conclude that to all intents and purposes they do. The next questions are whether the IC could raise an objection under regulation 12(4)(b) when the authority had not done so, whether section 14 (2) affects the meaning of section 14(1) and whether the costs of compliance could be taken into account under both tests (“the costs of compliance issue”). I agree with the UT on those points too. I would therefore dismiss Mrs Craven’s appeal also.”

And so orthodoxy reigns.

As to the detail of the judgment, although it is relatively long (28 pages), when one strips out the annexed statutory provisions, the factual background and the submissions of the parties, the actual analysis only runs from [61]-[73] on Mr Dransfield’s appeal and [74]-[88] on Mrs Craven’s.

In relation to Dransfield, the issue was the degree to which a prior course of conduct of the requestor could infect a request which in and of itself was inoffensive. Arden LJ agreed that no comprehensive or exhaustive definition should be adopted, but considered that the focus should be “on an objective standard and that the starting point is that vexatiousness primarily involves making a request which has no reasonable foundation, that is, no reasonable foundation for thinking that the information sought would be of value to the requester, or to the public or any section of the public“. The test should be a high one to meet, but all relevant circumstances should be considered. Where a motive can be established, that may be evidence of vexatiousness, although if the request is aimed at disclosure of important information which ought to be publicly available then even a “vengeful” request may not meet the test: at [68]. Motive was relevant here; section 14 is an exception to the ordinary approach that the reason why a right is exercised is irrelevant: at [66]. The FTT’s approach had been wrong; there were no bright lines and attempting them was illogical. Evidence of prior requests was capable of throwing light on the current request and the motivation behind it: at [69]. Had it been necessary to do so, the Court would have accepted that the Upper Tribunal had made an unchallengeable finding that the belligerent and unreasonable tone linked to the present request: at [71]. Because, as stressed at [6], there was no challenge to the Upper Tribunal’s general guidance, the Court of Appeal cast no doubt upon it and it will continue to be a useful source of assistance (with the caveat that protection of public resources cannot lower the high standard of vexatiousness required: at [72]).

In relation to Craven, Arden LJ dealt with a slightly wider range of issues. She made further comments on section 14 itself, noting that vexatiousness could not mean a requirement for persistent requests, still less for persistent requests to a range of different authorities, which would not be readily discoverable: at [77]. Section 14(2), on repeat requests, is a separate power which does not assist in interpreting section 14(1): at [82]. A key question in Craven was whether there should be any difference between the two regimes. Arden LJ held that there was not, particularly because section 14 was primarily an objective analysis, which accorded with the natural meaning of “unreasonable“. The word “manifestly” simply means that it must be clearly shown, and does not require detailed investigation by the authority into things it does not know: at [78]. There was no suggestion that the answer would have been any different under section 14: at [79] (although of course CJEU case law may develop in a different direction). One notable aspect of Craven is that it was a single request which was particularly burdensome and costly to deal with, but there was no section 12 equivalent in the EIR, and on this Arden LJ agreed with the Upper Tribunal’s approach: cost of compliance can be taken into account, although those costs would have to be balanced against the benefits of disclosure: at [83]. An unconcluded view was expressed that a higher hurdle might apply to rely on the costs burden under the EIR than FOIA, but no decision was reached: at [84]. The Court was satisfied that a costs burden could indeed apply to section 14: at [85].

We are, as a result, more or less where we were before the Court of Appeal’s judgment. Indeed all it has probably added is the weight of authority in some places and a bit of confusion (mostly around section 14 being objective, which is unhelpfully expressed but not, it appears, substantively different) in others. People can sensibly continue to guide themselves by the much more detailed guidance of the Upper Tribunal, subject to the caveats noted here. All the important clarifications made by the Upper Tribunal survive, and one suspects very limited changes will be required to the ICO’s Guidance. Repeat requestors should beware, particularly if they are unreasonable ones, and those making single but large requests should too.

The ICO was represented in both appeals by Tom Cross; Devon CC by Rachel Kamm and DECC by James Cornwell.

Christopher Knight

Right to be forgotten…in Japan

Posted on | by Anya Proops KC

I have just had my attention drawn to this interesting article from the Japan Times about how the right to be forgotten is beginning to gain traction in Japan. Just goes to show that Europe is not the only environment within which this highly controversial right can potentially gain a foothold.

Anya Proops

Vidal-hall in the supreme court?

Posted on | by Anya Proops KC

Just two short but important pieces of news. First, I can now confirm that Google has applied for permission to appeal to the Supreme Court in respect of the Court of Appeal’s landmark judgment in Vidal-Hall v Google. The SC’s judgment on the application is awaited. Second, it would appear that the case of CG v Facebook which I blogged about earlier this year (see here) is also currently on appeal in Northern Ireland, with a cross-appeal being brought by CG on the question of whether the court erred when it concluded that Facebook fell outside the territorial scope of the DPA 1998. For further news on these important cases, watch this space.

Anya Proops