Panopticon – Page 81 – Information law blog, from 11 KBW

Section 13 DPA in the High Court: nominal damage plus four-figure distress award

Posted on 13th June 2014 | by Robin Hopkins

Given the paucity of case law, it is notoriously difficult to estimate likely awards of compensation under section 13 of the Data Protection Act 1998 for breaches of that Act. It is also very difficult to assess any trends in compensation awards over time.

AB v MoJ [2014] EWHC 1847 (QB) is the Courts’ (Mr Justice Jeremy Baker) latest consideration of compensation under the DPA. The factual background involves protracted correspondence involving numerous subject access requests. Ultimately, it was held that the Defendant failed to provide certain documents to which the Claimant was entitled under section 7 of the DPA within the time frames set out under that section.

Personal data?

There was a dispute as to whether one particular document contained the Claimant’s ‘personal data’. Baker J noted the arguments from Common Services Agency, and he is not the first to observe (at his paragraph 50) that it is sometimes not a ‘straightforward issue’ to determine whether or not information comes within the statutory definition of personal data. Ultimately, he considered that the disputed document did not come within that definition: it “is in wholly neutral terms, and is indeed merely a conduit for the provision of information contained in the letters which it enclosed which certainly did contain the claimant’s personal data”.

Nonetheless, the DPA had been breached in virtue of the delays in the provision of other information to which the Claimant was entitled under section 7. What compensation should he be awarded?

Damage under section 13(1) DPA

Baker J was satisfied, having considered In Halliday v Creation Consumer Finance Limited [2013] EWCA Civ 333, [2013] 2 Info LR 85 (where the same point was conceded), that nominal damage sufficed as ‘damage’ for section 13(1) purposes: “In this regard the word “damage” in this sub-section is not qualified in any way, such that to my mind provided that there has, as in this case, been some relevant loss, then an individual who has also suffered relevant distress is entitled to an award of compensation in respect of it”.

Here the Court was satisfied that nominal damages should be awarded. The Claimant had spent a lot of time pursuing his requests, albeit that much of that time also involved pursuing requests on clients’ behalves, and albeit that no actual loss had been quantified:

“Essentially the claimant is a professional man who, it is apparent from his witness statement, has expended a considerable amount of time and expense in the pursuit of the disclosure of his and others’ data from various Government Departments and other public bodies, including the disclosed and withheld material from the defendant. Having said that, the claimant has not sought to quantify his time and expense, nor has he allocated it between the various requests on his own and others’ behalves. In these circumstances, although I am satisfied that he has suffered damage in accordance with s.13(1) of the DPA 1998, I consider that this is a case in which an award of nominal damages is appropriate under this head, which will be in the conventional sum of £1.00.”

Distress under section 13(2) DPA

That finding opened the door to an award for distress. The Court found that distress had been suffered, although it was difficult to disentangle his distress attributable to the breaches of the DPA from his distress as to the other surrounding circumstances: “doing the best I am able to on the evidence before me I consider that any award of compensation for distress caused as a result of the relevant delays in this case, should be in the sum of £2,250.00”.

Until this week, Halliday was the Courts’ last reported (on Panopticon at any rate) award of compensation under section 13 DPA. That was 14 months ago. In AB, the Court awarded precisely triple that sum for distress.

For a further (and quicker-off-the-mark) discussion of AB, see this post on Jon Baines’ blog, Information Rights and Wrongs.

Robin Hopkins @hopkinsrobin

Privacy, electronic communications and monetary penalties: new Upper Tribunal decision

Posted on 12th June 2014 | by Robin Hopkins

Panopticon reported late last year that the First-Tier Tribunal overturned the first monetary penalty notice issued by the Information Commissioner for breaches of the Privacy and Electronic Communications Regulations 2003. This was the decision in Niebel v IC (EA/2012/0260).

The Information Commissioner appealed against that decision. The Upper Tribunal gave its decision on the appeal yesterday: see here IC v Niebel GIA 177 2014. It dismissed the Commissioner’s appeal and upheld the First-Tier Tribunal’s cancellation of the £300,000 penalty imposed for the sending of marketing text messages.

I appeared in this case, as did James Cornwell (also of the Panopticon fold), so I will not be offering an analysis of the case just now. With any luck, one of my colleagues will be cajoled into doing so before too long.

It is worth pointing out simply that this is the first binding decision on the meaning of the various limbs of s. 55A of the DPA 1998, which contains the preconditions for the issuing of a monetary penalty notice.

Robin Hopkins @hopkinsrobin

Section 14 in the Court of Appeal

Posted on 10th June 2014 | by Christopher Knight

Just when you thought it was safe to go back in the water. Just when you had got your head round the decisions of Judge Wikeley in Information Commissioner v Devon CC & Dransfield 2012] UKUT 440 (AAC); [2013] 1 Info LR 360 and Craven v Information Commissioner & DECC [2012] UKUT 442 (AAC); [2013] 1 Info LR 335, and the Information Commissioner has issued spangly new guidance on section 14, and the FTT has been merrily applying the new tests to a host of appeals. Just when all that had become de rigeur and everyone was settling back down…

The Court of Appeal, in the form of Briggs LJ at an oral renewal hearing, has granted Mr Dransfield and Ms Craven permission to appeal against the judgments of Judge Wikeley on the issues of the proper interpretation of section 14(1) FOIA and regulation 12(4)(b) EIR (respectively), and the application to their requests for information. Briggs LJ also granted both appellants the necessary extension of time for their appeals. He refused their applications to admit fresh evidence.

No appeal date has been set – the Order granting permission was only sent on 9 June. But the various members of 11KBW involved below (Tom Cross for the ICO, Rachel Kamm for Devon CC, James Cornwell for DECC) will enable Panopticon to ensure that it continues to cause readers to gaze in horror at their screens with the latest updates. Our work here is only just beginning…

Christopher Knight

Cyril Smith and the FTT

Posted on 9th June 2014 | by Christopher Knight

Although not a decision of any particular legal significance, it is perhaps worth mentioning the judgment last week of the First-tier Tribunal in Corke v Information Commissioner & Crown Prosecution Service (EA/2014/0012), if only because it is one of those relatively rare occasions on which the work of the FTT itself (as opposed to the information it results in) has been the subject of news coverage, ranging from the Daily Mail to the BBC.

The request was for disclosure of information relating to the now fairly notorious decisions made over time not to prosecute Sir Cyril Smith (a Liberal MP who died in 2010) for offences against children. The disputed material consists of two Minutes prepared by a CPS lawyer in 1998 and 1999. The first reviewed case papers considered in1970 and looked at the weight of the evidence, reflected on the changing approach to the investigation and prosecution of such crimes between 1970 and 1998 and considers bars to a prosecution being launched in 1998. The second considered two more allegations. The material contains the names of individuals concerned in the case in particular the youths who made allegations against Sir Cyril.

The CPS withheld information within the scope of the request, citing section 30(1)(c) (information held for the purpose of criminal proceedings), section 42(1) (legal professional privilege), and section 40(2) (third party personal data). The ICO issued a DN which held that the public interest was finely balanced, but upheld the refusal to disclose. Amongst other things, the ICO noted that the CPS had provided some public explanation of its past decisions and made clear that the same approach would be unlikely to be taken now.

The FTT disagreed with the DN and found that the public interest favoured disclosure of almost all of the requested information (with some redactions). It held that the safe space of the CPS would be unlikely to be harmed given the unique nature of the particular case involved, and the professionalism (and professional obligations) of CPS lawyers. It considered that the documents were in themselves significant historical documents which cast light on changes in the law as it has responded to the evolution of understanding of these crimes and changing social attitudes to them, as well as casting light on Sir Cyril himself. The unusual nature of the case also meant that the public interest in disclosing material covered by section 42 also favoured disclosure. Not surprisingly, the death of Sir Cyril Smith was also mentioned. The FTT redacted material which went beyond the names of the complainants, which might conceivably be used to identify them.

Christopher Knight

Data Protection and Child Protection

Posted on 6th June 2014 | by Christopher Knight

One of the difficulties users and practitioners have with the Data Protection Act 1998 is that there is so little case law on any of the provisions, it can be very hard to know how a court will react to the complicated structure and often unusual factual scenarios which can throw up potential claims. There are two reasons why there is so little case law. First, most damages claims under the DPA go to the County Court, where unless you were in the case it is hard to know that it happened or get hold of a judgment. Secondly, most damages claims are for small sums, which is it is more cost-effective to settle than fight.

Neither of those problems applied in MXA v Hounslow LBC, West Berkshire Council, Taunton Dean BC & Wokingham BC (QBD, 4 June 2014, not yet reported), in which M had filed claims in the High Court against a series of local authorities alleging that they held inaccurate and damaging information about him (presumably under sections 10 and 14 DPA, although the limited report available does not make clear). The local authorities applied to strike out the claims, and M failed to attend the hearing. M also alleged a breach of Article 8 ECHR in the data handling.

The facts as summarised are regrettably common. Harrow received information alleging that the step-daughter of M, E, was being physically and sexually abused by M. M complained about records of allegations of sexual misbehaviour towards a child in 2007 set out in a police report, which he denied. Harrow passed the information to Wokingham when E moved into that area. Wokingham recorded and reviewed the material and passed it on to West Berkshire when E moved again. Further allegations received by West Berkshire were sufficiently serious to require an investigation. M had signed forms consenting to the sharing and collection of information. Care proceedings were later initiated.

Perhaps not surprisingly, Bean J granted the application to strike out. He held that the local authorities were conducting child protection functions under their statutory duties (see, for example, the Children Act 1989). In relation to the fifth data protection principle that personal data should not be held for longer than necessary, Harrow had received a recent complaint and had been provided with police records of convictions and other allegations. The duty of the local authorities, as the baton passed to each of them, was to keep those records for as long as necessary to ensure E’s welfare. The welfare investigation was at an early stage and the local authorities would clearly be acting in breach of their duty if they shredded the information. M could not argue that the information was so historic and uncorroborated that it ought to have been wiped and not disseminated. It had not been disseminated to the public, but passed only to local authorities where the family had lived.

Data controllers recorded a variety of information including allegations and mere suspicions due to the nature of the investigation. The suggestion that the information should not have been recorded unless the data controller was satisfied of its truth to a civil standard was unsustainable, as to which Bean J cited Johnson v Medical Defence Union [2007] EWCA Civ 262; [2011] 1 Info LR 110. Any claim based on the fourth data protection principle that information should be accurate and up to date was met by para 7 of Part II of Schedule 1 as the purpose for which the data was obtained was child protection. Reasonable steps had been taken to ensure its accuracy and the record indicated those matters which M had said were inaccurate. M had twice signed forms consenting to the retrieval of medical and criminal records.

Moreover, M’s section 10 claim to prevent processing likely to cause damage or distress was excluded by section 10(2) and para 3 of Schedule 2, as the processing was necessary to enable the local authorities to comply with their statutory obligations. They were doing no more than performing a proper statutory function.

Bean J also struck out claims of negligence, held that Articles 3 and 6 ECHR were irrelevant, and that there was an interference with M’s Article 8 rights but that it was plainly proportionate in order to protect E.

All of which goes to show that the DPA does not stop public authorities carrying out their important duties, even where underlying facts or allegations are disputed, and that on the occasions where the DPA makes it to court the judges can be trusted to understand both the context in which the authority must operate and that the DPA is intended to recognise that context. Perhaps DPA users have nothing to fear but fear itself after all.

11KBW’s Timothy Pitt-Payne QC acted for West Berkshire Council.

Christopher Knight

Google Spain – article in The Lawyer by Anya Proops

Posted on 24th May 2014 | by Rachel Kamm

Ahklaq Choudhury posted this week about the Google Spain judgment. For more 11KBW commentary on the topic, see the article in The Lawyer by Anya Proops: “Privacy but at what price?“. Anya’s article concludes:

“Of course, it may well be that these issues will be resolved in the context of the new Data Protection Regulation which is still being debated in Europe. However, in the meantime, the judgment in Google Spain means we may well find ourselves exposed to a degree of data impoverishment which augurs ill for the development of our information society.”

Rachel Kamm, 11KBW

WordPress + Bootstrap