Cyril Smith and the FTT

Posted on | by Christopher Knight

Although not a decision of any particular legal significance, it is perhaps worth mentioning the judgment last week of the First-tier Tribunal in Corke v Information Commissioner & Crown Prosecution Service (EA/2014/0012), if only because it is one of those relatively rare occasions on which the work of the FTT itself (as opposed to the information it results in) has been the subject of news coverage, ranging from the Daily Mail to the BBC.

The request was for disclosure of information relating to the now fairly notorious decisions made over time not to prosecute Sir Cyril Smith (a Liberal MP who died in 2010) for offences against children. The disputed material consists of two Minutes prepared by a CPS lawyer in 1998 and 1999. The first reviewed case papers considered in1970 and looked at the weight of the evidence, reflected on the changing approach to the investigation and prosecution of such crimes between 1970 and 1998 and considers bars to a prosecution being launched in 1998. The second considered two more allegations. The material contains the names of individuals concerned in the case in particular the youths who made allegations against Sir Cyril.

The CPS withheld information within the scope of the request, citing section 30(1)(c) (information held for the purpose of criminal proceedings), section 42(1) (legal professional privilege), and section 40(2) (third party personal data). The ICO issued a DN which held that the public interest was finely balanced, but upheld the refusal to disclose. Amongst other things, the ICO noted that the CPS had provided some public explanation of its past decisions and made clear that the same approach would be unlikely to be taken now.

The FTT disagreed with the DN and found that the public interest favoured disclosure of almost all of the requested information (with some redactions). It held that the safe space of the CPS would be unlikely to be harmed given the unique nature of the particular case involved, and the professionalism (and professional obligations) of CPS lawyers. It considered that the documents were in themselves significant historical documents which cast light on changes in the law as it has responded to the evolution of understanding of these crimes and changing social attitudes to them, as well as casting light on Sir Cyril himself. The unusual nature of the case also meant that the public interest in disclosing material covered by section 42 also favoured disclosure. Not surprisingly, the death of Sir Cyril Smith was also mentioned. The FTT redacted material which went beyond the names of the complainants, which might conceivably be used to identify them.

Christopher Knight

Data Protection and Child Protection

Posted on | by Christopher Knight

One of the difficulties users and practitioners have with the Data Protection Act 1998 is that there is so little case law on any of the provisions, it can be very hard to know how a court will react to the complicated structure and often unusual factual scenarios which can throw up potential claims. There are two reasons why there is so little case law. First, most damages claims under the DPA go to the County Court, where unless you were in the case it is hard to know that it happened or get hold of a judgment. Secondly, most damages claims are for small sums, which is it is more cost-effective to settle than fight.

Neither of those problems applied in MXA v Hounslow LBC, West Berkshire Council, Taunton Dean BC & Wokingham BC (QBD, 4 June 2014, not yet reported), in which M had filed claims in the High Court against a series of local authorities alleging that they held inaccurate and damaging information about him (presumably under sections 10 and 14 DPA, although the limited report available does not make clear). The local authorities applied to strike out the claims, and M failed to attend the hearing. M also alleged a breach of Article 8 ECHR in the data handling.

The facts as summarised are regrettably common. Harrow received information alleging that the step-daughter of M, E, was being physically and sexually abused by M. M complained about records of allegations of sexual misbehaviour towards a child in 2007 set out in a police report, which he denied. Harrow passed the information to Wokingham when E moved into that area. Wokingham recorded and reviewed the material and passed it on to West Berkshire when E moved again. Further allegations received by West Berkshire were sufficiently serious to require an investigation. M had signed forms consenting to the sharing and collection of information. Care proceedings were later initiated.

Perhaps not surprisingly, Bean J granted the application to strike out. He held that the local authorities were conducting child protection functions under their statutory duties (see, for example, the Children Act 1989).  In relation to the fifth data protection principle that personal data should not be held for longer than necessary, Harrow had received a recent complaint and had been provided with police records of convictions and other allegations. The duty of the local authorities, as the baton passed to each of them, was to keep those records for as long as necessary to ensure E’s welfare. The welfare investigation was at an early stage and the local authorities would clearly be acting in breach of their duty if they shredded the information. M could not argue that the information was so historic and uncorroborated that it ought to have been wiped and not disseminated. It had not been disseminated to the public, but passed only to local authorities where the family had lived.

Data controllers recorded a variety of information including allegations and mere suspicions due to the nature of the investigation. The suggestion that the information should not have been recorded unless the data controller was satisfied of its truth to a civil standard was unsustainable, as to which Bean J cited Johnson v Medical Defence Union [2007] EWCA Civ 262; [2011] 1 Info LR 110. Any claim based on the fourth data protection principle that information should be accurate and up to date was met by para 7 of Part II of Schedule 1 as the purpose for which the data was obtained was child protection. Reasonable steps had been taken to ensure its accuracy and the record indicated those matters which M had said were inaccurate. M had twice signed forms consenting to the retrieval of medical and criminal records.

Moreover, M’s section 10 claim to prevent processing likely to cause damage or distress was excluded by section 10(2) and para 3 of Schedule 2, as the processing was necessary to enable the local authorities to comply with their statutory obligations. They were doing no more than performing a proper statutory function.

Bean J also struck out claims of negligence, held that Articles 3 and 6 ECHR were irrelevant, and that there was an interference with M’s Article 8 rights but that it was plainly proportionate in order to protect E.

All of which goes to show that the DPA does not stop public authorities carrying out their important duties, even where underlying facts or allegations are disputed, and that on the occasions where the DPA makes it to court the judges can be trusted to understand both the context in which the authority must operate and that the DPA is intended to recognise that context. Perhaps DPA users have nothing to fear but fear itself after all.

11KBW’s Timothy Pitt-Payne QC acted for West Berkshire Council.

Christopher Knight

Google Spain – article in The Lawyer by Anya Proops

Posted on | by Rachel Kamm

Ahklaq Choudhury posted this week about the Google Spain judgment. For more 11KBW commentary on the topic, see the article in The Lawyer by Anya Proops: “Privacy but at what price?“. Anya’s article concludes:

Of course, it may well be that these issues will be resolved in the context of the new Data Protection Regulation which is still being debated in Europe. However, in the meantime, the judgment in Google Spain means we may well find ourselves exposed to a degree of data impoverishment which augurs ill for the development of our information society.”

Rachel Kamm, 11KBW

The Common Law and the Spirit of Kennedy

Posted on | by Christopher Knight

Following the Supreme Court’s lengthy, slightly unexpected, and difficult to grasp judgment in Kennedy v Charity Commission [2014] UKSC 20 (on which I have been quiet because of my involvement, but see Tom Cross’s blogpost here) there has been room for quite a large amount of debate as to how far it goes. Was the majority only suggesting access to the Charity Commission’s information under the common law principle of open justice applied because of the particular statutory regime and/or the nature of the statutory inquiry involved? Or was the principle rather more wide-ranging?

An answer has perhaps begun to emerge, as there was some discussion of this in the judgment of Green J in R (Privacy International) v HMRC [2014] EWHC 1475 (Admin). The judgment is, again, a long one, but the case was a judicial review of a decision of the HMRC that they had no power or duty to disclose information about their export control functions and in particular any investigations into the export by United Kingdom companies of software used for covert surveillance of political activists by repressive foreign regimes. Green J held that section 18 of the Commissioners for Customs and Revenue Act 2005 did provide such a power, and the HMRC had construed it too narrowly, when the power existed but was fact and context-dependent: see too R (Ingenious Media Holdings Plc) v HMRC [2013] EWHC 3258 (Admin), [2014] S.T.C. 673.

The judgment in Kennedy came out shortly after the oral hearing in Privacy International and it obviously sparked something of a debate. Green J accepted that the type of legal process involved was different to that in Kennedy, but he was of the view that Kennedy was authority for a more general proposition, or at least approach: at [62]:

I do not consider that the judgments in Kennedy lack all relevance. The Supreme Court was at pains to point out that the common law treated openness as very important and, with all the ecessary provisos and caveats, that message can in some measure carry through into section 18(2) CRCA 2005. In Kennedy Lord Mance, who gave the leading judgment for the majority, introduced his judgment with the following message which goes well beyond the narrow confines of the Charity Commission:

“1. Information is the key to sound decision-making, to accountability and development; it underpins democracy and assists in combatting poverty, oppression, corruption, prejudice and inefficiency. Administrators, judges, arbitrators, and persons conducting inquiries and investigations depend upon it; likewise the press, NGOs and individuals concerned to report on issues of public interest. Unwillingness to disclose information may arise through habits of secrecy or reasons of self-protection. But information can be genuinely private, confidential or sensitive, and these interests merit respect in their own right and, in the case of those who depend on information to fulfil their functions, because this may not otherwise be forthcoming. These competing considerations, and the balance between them, lie behind the issues on this appeal”.

The claimant conceded in the light of the Supreme Court decision that Article 10 ECHR did not give it a right of access to information, but argued that Article 10 did prevent one state body from stopping another state body imparting information which it wished to impart. Green J felt it unnecessary to decide the point because it added nothing to the common law: at [176], [179].

For various reasons on the facts of the case, and the particular context of HMRC’s approach to section 18, the decision was quashed. But it is a useful indication of how the courts have begun to think about the impact of Kennedy and other information access provisions.

Christopher Knight

Google Spain and the CJEU judgment it would probably like to forget.

Posted on | by Akhlaq Choudhury

In the landmark judgment in Google Spain SL and Google Inc., v Agencia Espanola de Proteccion de Datos, Gonzales (13th May 2014), the CJEU found that Google is a data controller and is engaged in processing personal data within the meaning of Directive 95/46 whenever an internet search about an individual results in the presentation of information about that individual with links to third party websites.  The judgment contains several findings which fundamentally affect the approach to data protection in the context of internet searches, and which may have far-reaching implications for search engine operators as well as other websites which collate and present data about individuals.

The case was brought Mr Costeja Gonzales, who was unhappy that two newspaper reports of a 16-year old repossession order against him for the recovery of social security debts would come up whenever a Google search was performed against his name. He requested both the newspaper and Google Spain or Google Inc. to remove or conceal the link to the reports on the basis that the matter had long since been resolved and was now entirely irrelevant. The Spanish Data Protection Agency rejected his complaint against the newspaper on the basis that publication was legally justified. However, his complaint against Google was upheld. Google took the matter to court, which made a reference to the CJEU.

The first question for the CJEU was whether Google was a data controller for the purposes of Directive 95/46. Going against the opinion of the Advocate General (see earlier post), the Court held that the collation, retrieval, storage, organisation and disclosure of data undertaken by a search engine when a search is performed amounted to “processing” within the meaning of the Directive; and that as Google determined the purpose and means of that processing, it was indeed the controller. This is so regardless of the fact that such data is already published on the internet and is not altered by Google in any way.

 The Court went on to find that the activity of search engines makes it easy for any internet user to obtain a structured overview of the information available about an individual thereby enabling them to establish a detailed profile of that person involving a vast number of aspects of his private life.  This entails a significant interference with rights to privacy and to data protection, which could not be justified by the economic interests of the search engine operator.  In a further remark that will send shockwaves through many commercial operators providing search services, it was said that as a “general rule” the data subject’s rights in this regard will override “not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name” (at paras 81 and 97). Exceptions would exist, e.g. for those in public life where the “the interference with…fundamental rights is justified by the preponderant interest of the general public in having…access to the information in question”.

However, the Court did not stop there with a mere declaration about interference. Given the serious nature of the interference with privacy and data protection rights, the Court said that search engines like Google could be required by a data subject to remove links to websites containing information about that person, even without requiring simultaneous deletion from those websites.

Furthermore, the CJEU lent support to the “right to be forgotten” by holding that the operator of a search engine could be required to delete links to websites containing a person’s information. The reports about Mr Costejas Gonzales’s financial difficulties in 1998 were no longer relevant having regard to his right to private life and the time that had elapsed, and he had therefore established the right to require Google to remove links to the relevant reports from the list of search results against his name. In so doing, he did not even have to establish that the publication caused him any particular prejudice.

The decision clearly has huge implications, not just for search engine operators like Google, but also other operators providing web-based personal data search services. Expect further posts in coming days considering some of the issues arising from the judgment.

Akhlaq Choudhury

11KBW at PDP’s FOI Conference

Posted on | by Robin Hopkins

PDP Conferences is hosting its 10th annual Freedom of Information Conference in London on 15 and 16 May, with 11KBW hosting the wine and canapés reception.

The conference will be chaired by Robin Hopkins.

The Deputy Information Commissioner, Graham Smith, is the keynote speaker, with Timothy Pitt-Payne QC also among the speakers on day 1 of the conference.

On day 2, 11KBW’s Ben Hooper will host one of the workshops.

The full programme can be found here.