What’s in a name? – Court of Appeal gives judgment in Edem

Posted on | by Anya Proops KC

Deciding whether information which arguably relates to an individual amounts to their ‘personal data’ for the purposes of s. 1(1) of the Data Protection Act 1998 is one of the more challenging aspects of the DPA regime. In making the judgment call in any particular case, data controllers have routinely looked to the guidance set out Auld LJ’s judgment in the well known case of Durant v Financial Services Act [2003] EWCA Civ 1746, [2011] 1 Info LR 1. In his judgment, Auld LJ indicated that there were two ‘notions’ likely to be of assistance when it came to determining whether particular data was sufficiently ‘personal’ that if tell within the scope of the DPA:

‘The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised.  The second is one of focus.  The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person’s or body’s conduct that he may have instigated.  In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity.’ (§28)

Auld LJ’s conclusion that the information must be something which affects the data subject’s privacy is of course unsurprising. As is made clear by the recitals to Directive 95/46/EC (from which the DPA is derived), the core aim of the Directive is to protect our fundamental right to privacy in the context of the management of our data. If particular data does not meaningfully touch on our privacy, then in a sense why should it fall within the ambit of the legislation at all?

So what then is the position in respect of data which records a person’s name? Is that information automatically ‘personal data’ because it is a name which both in a sense identifies and relates to a particular individual? Or does that data have to arise in some form of context whereby it tells you something informative about that individual beyond merely what their name is? This was precisely the issue which the Court of Appeal had to consider in the recent case of Edem v IC & Financial Services Authority [2014] EWCA Civ 92.

In Edem, Mr Edem had made a number of complaints to the FSA concerning its regulation of a particular company. Mr Edem then sought disclosure from the FSA of information about him and his complaints. The sole issue which the Court of Appeal had to consider was whether information amounting to the names of three individuals within the FSA who had worked on the complaints constituted their ‘personal data’ under s. 1(1) DPA. The individuals in question were all junior employees who did not have public facing roles.

The Court of Appeal came down firmly in favour of the conclusion that the names per se constituted ‘personal data’. Moses LJ, with whom Beaton LJ and Underhill LJ agreed, held that:

‘A name is personal data unless it is so common that without further information, such as its use in a work context, a person would remain unidentifiable despite its disclosure’ (§20).

The Court of Appeal sought to reconcile this conclusion with the approach adopted by the Court of Appeal in Durant by saying that the Court of Appeal in Durant was looking at a different issue, namely whether information which did not on its face concern or name Mr Durant was still his personal data because it related to a complaint which he had made to the FSA (§§18-20). The Court went on to find that the ‘notions’ identified by Auld LJ in §28 of his judgment in Durant were of no relevance to a case where what was in issue was information comprising a person’s name, as that information was always intrinsically ‘personal data’, unless it was such a common name that considered on its own it had to be regarded as being effectively anonymous.

Importantly, the Court of Appeal went on to cite with approval the following extract from the Commissioner’s Technical Guidance on the definition of personal data:

“6.         It is important to remember that it is not always necessary to consider ‘biographical significance’ to determine whether data is personal data.  In many cases data may be personal data simply because its content is such that it is ‘obviously about’ an individual.  Alternatively, data may be personal data because it is clearly ‘linked to’ an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated.  You need to consider ‘biographical significance’ only where information is not ‘obviously about’ an individual or clearly ‘linked to’ him.”

The judgment is important for a number of reasons. First, it suggests that the Durant guidance must not be treated as embodying golden rules of universal application. This is likely to trouble many data controllers who have in the past approached Durant as it if had biblical authority. Second, it marks a clear judicial endorsement of the fairly generous approach to the construction of the term ‘personal data’ embodied in the ICO’s guidance. What remains to be seen is how the judgment will be held to apply to cases which do not involve such patently identifying information.

Robin Hopkins represented the ICO. Jason Coppel QC represented the Financial Conduct Authority.

Anya Proops

11KBW Information Law Conference, 18th March 2014

Posted on | by Panopticon Blog

11KBW is very pleased to announce that its annual Information Law Conference will be held on 18th March 2014 at the Royal College of Surgeons of England. The conference will cover a range of topical issues including surveillance law in the post-Snowden world, the relationship between information rights and the Article 10 right to freedom of expression and the controversial role played by the FOIA veto.  The conference will also include case-law updates on FOIA, the EIR and the DPA. This year we are delighted to welcome Upper Tribunal Judge Nicholas Wikeley as our keynote speaker.

The full programme can be accessed here.

CPD

The conference will be accredited 4.5 hours CPD – SRA/BSB

Cost

£99 + VAT (20%) = £118.80 to attend half day plus lunch

£150 + VAT (20%) = £180.00 to attend full day

How to Book

To book your place on this conference please email RSVP@11kbw.com with the delegate name, firm, email address and any purchase order details you may require. You will be then sent a confirmation email of your place and invoiced. We do not have the facilities to accept payments by credit or debit cards.

Closed procedure guidance: the Browning version

Posted on | by Robin Hopkins

Reference to closed material is inherent in FOIA litigation. Some element of closed procedure is usually also needed. But how are these closed aspects to be approached so as to accord with principles of justice, fairness and openness?

I blogged last year on the case of Browning v IC and DBIS [2013] 2 Info LR 1, in which the Upper Tribunal appeared to answer those questions. A curious feature of that judgment was that the Upper Tribunal said it was not giving guidance on closed material/procedures, whereas the substance of its judgment seemed to contain precisely that.

The coming months will bring greater clarity. The Court of Appeal has recently given permission to appeal in Browning.

Panopticon understands that the appeal is likely to be heard in the first half of 2014, that it will be heard by three Lord/Lady Justices of Appeal and that consideration is to be given to including among those three the Master of the Rolls or the Vice-President of the Court of Appeal (Civil Division). All of these factors seem to point towards the considerable importance which is – rightly – being attached to the issues concerning closed material and procedures in FOIA/EIR litigation.

Panopticon will report further – on an open basis – in due course.

Robin Hopkins @hopkinsrobin

2014: The Year of the Veto?

Posted on | by Christopher Knight

After a very slow start to the use of the veto under section 53 FOIA, the Coalition Government has rather picked up speed on its use following a flurry in 2012. In one year there were vetoes for the NHS Transitional Risk Register, Iraq war Cabinet minutes, and of course, the correspondence of the Prince of Wales. The last of these is the subject of the first judicial review of a veto decision.

On 30 January 2014 the Secretary of State for Transport announced that he was vetoing the order of the Information Commissioner in decision notice FER0467548 that the Cabinet Office (to whom the request was made) disclose the Project Assessment Review (“PAR”) report concerning High Speed Two (“HS2”), the project for a high-speed rail link between London, Birmingham, the East Midlands, Sheffield, Leeds and Manchester.

In accordance with the legislation, the Secretary of State has published an eleven page Statement of Reasons. They are detailed and specific, and will not be set out in this post. Readers who are interested can see them here. The Secretary of State doubted whether the PAR was environmental information at all, but exercised the veto under both FOIA and the EIR. The ability to do the latter is of course an aspect of the forthcoming appeal in R (Evans) v HM Attorney General (on which see Robin’s analysis here, and my own comment at (2013) 38 LQR 130). The Secretary of State considered that the balance of the public interest favoured non-disclosure. He then gave three reasons for his exceptional use of the veto power: “(1) The exceptional importance of the HS2 project; (2) The extremely strong public interest in ensuring that public expenditure for HS2 is properly and robustly overseen and controlled; (3) The short timeframe between the production of the PAR report and the request for information, and the timing of the request at this particular stage of policy development within the HS2 project.

The background to the veto decision is short but messy. It is unusual for the veto to be used before the Tribunal have considered the Government’s arguments. In the HS2 case, the Cabinet Office withdrew its appeal against the decision notice the day before the hearing, when the Daily Mail published a leaked letter from the Secretary of State and the Minister for Cabinet Office to the Prime Minister referring to negative legal advice the Department had received. That letter suggested the early use of the veto instead, and that is indeed what has occurred.

It will be interesting to see whether, having acquired a taste for it, 2014 proves to be as profitable as 2012 was for veto fans.

11KBW’s Julian Milford was acting for the Secretary of State & the Cabinet Office; Robin Hopkins was acting for the ICO.

Christopher Knight

Freedom of Information: But What is Information? The Upper Tribunal Opines

Posted on | by Christopher Knight

We all know that section 1 gives us a right to request information from listed public authorities, but what does “information” mean? Information is defined by section 84 of FOIA (“‘information’ (subject to sections 51(8) and 75(2)) means information recorded in any form”). This somewhat opaque definition has generally been treated as meaning that a request is for information. It is not for copies of documents. If the public authority wants to type out the document in a different format, they can, so long as the information contained within that document is provided.

The question had to be confronted squarely by the Upper Tribunal in Independent Parliamentary Standards Authority v IC & Leapman [2014] UKUT 33 (AAC) (IPSA v IC_UT decision_Jan 2014). Mr Leapman had made a request to IPSA for receipts and invoices provided by particular MPs in support of their expenses claims. IPSA provided him with transcribed versions of those receipts and invoices. Mr Leapman was not satisfied; he wanted the originals. The ICO agreed. On appeal, so did the First-tier Tribunal (on which see Tom Ogg’s blog here). IPSA appealed to the Upper Tribunal.

Judge Williams dismissed the appeal. He accepted that a receipt will typically have “visual content to be seen, rather than read, but which may also require to be understood for the recipient to have appreciated the whole of the experience” (at [22]). (One leaves aside the suggestion that reading a receipt can be so heady as to warrant the term ‘experience’.) He set out the reasoning of the DN in detail and agreed with it. He relied on the example of trademarks, noting that “I cannot see how full information about a receipt or invoice that contains trademarks can be conveyed if the trademark material is not reproduced in the trademarked form so confirming that unique identity” (at [26]). Judge Williams declined to accept the suggestion that no information is conveyed by location of markings or handwriting: at [27]. In short, there was no error of law in refusing to accept the blanket submission of IPSA that nothing but the words mattered.

There was then a secondary issue concerning section 11(2), and whether it was reasonably practicable for IPSA to provide the original receipts. This too had been rejected by the FTT, and Judge Williams took the same view. In his view, section 11 was request specific, seeing as it directly cross-referred to the subsequent provisions which were also request specific. There was no basis for a “general limit on the duty” to comply with section 1: at [40]. IPSA was not entitled to any special status: at [42].

The Upper Tribunal’s judgment is perhaps counter-intuitive at first sight, but on analysis becomes difficult to dispute. It must be the case that some documents reveal recorded information simply by the way in which they are laid out, or the surrounding markings on the page. What if an MP has submitted faked receipts which IPSA have overlooked, but which on sight of the originals show the relevant logo or trademark to be slightly wrong thus revealing the deception? What if it is said that a document was purely private, but the original reveals it to have been printed on Council notepaper? That is surely what FOIA is for. However, the matter will be case-specific. This is not a disclosure exercise by the back-door – there will need to actually be something to see from the originals.

11KBW’s Robin Hopkins (who else?) appeared for the ICO.

Christopher Knight

The EU’s Data Protection Regulation: where are we?

Posted on | by Robin Hopkins

The replacement of Directive 95/26/EC – the bedrock of data protection in Europe – with a new Regulation is intended as a radical overhaul, making protections for personal data fit for the digital world. It has now been over two years since the first substantive draft of that Regulation was made public. I dimly recall Tim Pitt-Payne and I summarising it – see here.

The Regulation is yet to emerge. As a number of Panopticon readers have asked: where have we got to? Here are five points by way of summary.

1. Two members of the trinity are on board

Following seemingly interminable negotiations, the European Parliament’s civil liberties committee (LIBE) now endorses the European Commission’s position on the modified draft. This means that two of the three key bodies at the EU level appear to be of one mind. The next step is for the third body, the European Council, to be persuaded during negotiations. See this blog post by the ICO’s Deputy Commissioner, David Smith.

2. In search of the cardinal virtues – consent, consistency, proportionality

In a very illuminating summary of the major principles at issue, the ICO tells us that it welcomes the following features of the current draft: a stringent approach to consent (or, in low-risk situations, a ‘legitimate interests’ condition justifying the processing of personal data); consistency and an EU-wide ‘one-stop shop’ model; ensuring that processing conditions are proportionate to risk (by, for example, requiring data subjects to be notified ‘without delay’ rather than within 24 hours, as was originally proposed).

The ICO remains concerned, however, that the draft Regulation continues to suffer from some vices: its use of the ‘pseudonymisation’ concept muddies the distinction between personal and non-personal data; the approach to profiling is insufficiently nuanced, and the international transfer rules may be unrealistically stringent.

3. The Regulation is dead!

Peter Fleischer, Google’s global privacy counsel, considers that the stalled progress of 2013 effectively means that “the old draft is dead”. His view, however, is that this delay will provide an opportunity for a more realistic re-think: “Whatever comes next will be the most important privacy legislation in the world, setting the global standards. I’m hopeful that this pause will give lawmakers time to write a better, more modern and more balanced law.”

4. Long live the Regulation!

EU officials are, however, optimistic about the current draft being spurred on to finality in 2014. Peter Hustinx, the outgoing European Data Protection Supervisor (curiously, no successor has yet been appointed), hopes that Greece’s imminent turn in the presidency seat will provide a fresh impetus for productive negotiation. Importantly, he sees Germany (often characterised as setting very stringent standards for data protection) as being in the driving seat: “The new German government can tackle this subject with the necessary drive and energy and thereby gain acceptance of the German position at European level and lead Europe to a higher level of data protection.”

5. Are the Americans Safe?

The processing of EU citizens’ data by US-based companies sits outside the direct reach of the envisaged Regulation, as with the current Directive. Since 2000, transfers of personal data to the US have been governed by the Safe Harbour Agreement, under which approximately 3,300 companies have been certified as safe (in the sense of being EU compliant in their data protection standards).

The European Council and Parliament have, however, expressed concern about the fitness for purpose of the Safe Harbour scheme. They have observed that “Web companies such as Google, Facebook, Microsoft, Apple, Yahoo have hundreds of millions of clients in Europe and transfer personal data for processing to the US on a scale inconceivable in the year 2000 when the Safe Harbour was created”. They area also concerned about the ongoing revelations about surveillance: “divergent responses of data protection authorities to the surveillance revelations demonstrate the real risk of the fragmentation of the Safe Harbour scheme and raise questions as to the extent to which it is enforced”.

Progress by the US Department of Commerce is now sought – by March 2014 – on improving transparency, the application of EU principles and enforcement. The arrangements will be further reviewed in 2014.

Robin Hopkins @hopkinsrobin