Panopticon – Page 88 – Information law blog, from 11 KBW

Personal data and fitness to practice investigations – Tribunal overturns ‘neither confirm nor deny’ position

Posted on 17th January 2014 | by Robin Hopkins

When an identifiable individual has been the subject of a formal complaint about their competence or conduct, that fact constitutes their personal data. In terms of privacy/publicity decisions, such situations are often approached in this way: where the complaint is well founded or at least merits serious consideration, publication is warranted, but otherwise confidentiality is maintained, lest unjustified aspersions be cast against that person.

In that respect, the process outlined by the Tribunal in Foster v IC (EA/2013/0176) – which concerned a complaint to the Nursing & Midwifery Council – is typical:

“The complaints procedure administered by the NMC has two stages. The first stage is designed to determine whether or not the matter should be referred to the NMC’s Fitness to Practice Panel. If it is, then the Panel will meet in public and its decision will be made publicly available. But if the complaint does not proceed beyond the first stage, (either because a decision is made not to investigate or because the NMC’s Investigating Committee Panel concludes that the complaint does not justify a reference to the Fitness to Practice Panel), then the process remains confidential. The rationale appears to be that an individual’s professional reputation should not be undermined by the publication of allegations that are found not to have sufficient merit to justify being referred to the Fitness to Practice Panel”.

The Appellant, whose son died following his participation in a drug trial, considered that the NMC investigation in this case – which did not pass the first stage – may have been inadequate. She asked for information about its investigation into her complaint about a named practitioner.

The NMC adopted a ‘neither confirm nor deny’ position under section 40(5), i.e. it considered that to say whether or not it held information on a complaint about this individual would be to tell the world at large whether or not that person had been the subject of a professional complaint of this description. The ICO agreed, but the Tribunal overturned that decision, ordering the NMC to confirm or deny whether it held the requested information.

In reaching that view, the Tribunal – while not passing judgment on the merits of the complaint or the NMC’s investigation – considered the criticisms that had been made:

“If it were to be the case that any member of the care team had realised the error earlier, but had not raised the alarm until after its very sad consequences had become clear, then there would seem to us to be strength in the Appellant’s argument that the evidential basis for the decision of the NMC’s Investigating Committee Panel required investigation”.

In those circumstances, the Tribunal thought the fairness balance favoured confirming or denying whether the requested information was held:

“In reaching that conclusion we reject the Information Commissioner’s argument that it is always unfair, and therefore in breach of the Data Protection Principles, to make a statement that discloses the existence of a complaint of professional misconduct against an individual, where there has been no finding of wrongdoing or malpractice. That would create an inflexible test which prevented all relevant circumstances being taken into account. Nor do we accept the Information Commissioner’s argument that the limited degree of disclosure involved in a “confirm or deny” response would constitute unwarranted interference into X’s privacy, without satisfying a legitimate public interest in disclosure”.

Public authorities who routinely adopt a default ‘neither confirm nor deny stance’ of the type outlined at the start of this post will wish to note that, at least in some circumstances, that approach can be called into question.

Robin Hopkins @hopkinsrobin

The Google/Safari users case: a potential revolution in DPA litigation?

Posted on 16th January 2014 | by Robin Hopkins

I posted earlier on Tugendhat J’s judgment this morning in Vidal-Hall and Others v Google Inc [2014] EWHC 13 (QB). The judgment is now available here – thanks as ever to Bailii.

This is what the case is about: a group of claimants say that, by tracking and collating information relating to their internet usage on the Apple Safari browser without their consent, Google (a) misused their private information (b) breached their confidences, and (c) breached its duties under the Data Protection Act 1998 – in particular, under the first, second, sixth and seventh data protection principles. They sought damages and injunctive relief.

As regards damages, “what they claim damages for is the damage they suffered by reason of the fact that the information collected from their devices was used to generate advertisements which were displayed on their screens. These were targeted to their apparent interests (as deduced from the information collected from the devices they used). The advertisements that they saw disclosed information about themselves. This was, or might have been, disclosed also to other persons who either had viewed, or might have viewed, these same advertisements on the screen of each Claimant’s device” (paragraph 24).

It is important to note that “what each of the Claimants claims in the present case is that they have suffered acute distress and anxiety. None of them claims any financial or special damage. And none of them claims that any third party, who may have had sight of the screen of a device used by them, in fact thereby discovered information about that Claimant which was detrimental” (paragraph 25).

The Claimants needed permission to serve proceedings on the US-based Google. They got permission and served their claim forms. Google then sought to have that service nullified, by seeking an order declaring that the English court has no jurisdiction to try these particular claims (i.e. it was not saying that it could never be sued in the English courts).

Tugendhat J disagreed – as things stand, the claims will now progress before the High Court (although Google says it intends to appeal).

Today’s judgment focused in part on construction of the CPR rules about service outside of this jurisdiction. I wanted to highlight some of the other points.

One of the issues was whether the breach of confidence and misuse of private information claims were “torts”. Tugendhat J said this of the approach: “Judges commonly adopt one or both of two approaches to resolving issues as to the meaning of a legal term, in this case the word “tort”. One approach is to look back to the history or evolution of the disputed term. The other is to look forward to the legislative purpose of the rule in which the disputed word appears”. Having looked to the history, he observed that “history does not determine identity. The fact that dogs evolved from wolves does not mean that dogs are wolves”.

The outcome (paragraphs 68-71): misuse of private information is a tort (and the oft-cited proposition that “the tort of invasion of privacy is unknown in English law” needs revisiting) but breach of confidence is not (given Kitetechnology BV v Unicor GmbH Plastmaschinen [1995] FSR 765).

Google also objected to the DPA claims being heard. This was partly because they were raised late; this objection was dismissed.

Google also said that, based on Johnson v MDU [2007] EWCA Civ 262; (2007) 96 BMLR 99, financial loss was required before damages under section 13 of the DPA could be awarded. Here, the Claimants alleged no financial loss. The Claimants argued against the Johnson proposition: they relied on Copland v UK 62617/00 [2007] ECHR 253, argued for a construction of the DPA that accords with Directive 95/46/EC as regards relief, and argued that – unlike in Johnson – this was a case in which their Article 8 ECHR rights were engaged. Tugendhat J has allowed this to proceed to trial, where it will be determined: “This is a controversial question of law in a developing area, and it is desirable that the facts should be found”.

If the Johnson approach is overturned – i.e. if the requirement for financial loss is dispensed with, at least for some types of DPA claim – then this could revolutionise data protection litigation in the UK. Claims under section 13 could be brought without claimants having suffered financially due to the alleged DPA breaches they have suffered.

Tugendhat went on to find that there were sufficiently serious issues to be tried here so as to justify service out of the jurisdiction – it could not be said that they were “not worth the candle”.

Further, there was an arguable case that the underlying information was, contrary to Google’s case, “private” and that it constituted “personal data” for DPA purposes (Google say the ‘identification’ limb of that definition is not met here).

Tugendhat was also satisfied that this jurisdiction was “clearly the appropriate one” (paragraph 134). He accepted the argument of Hugh Tomlinson QC (for the Claimants) that “in the world in which Google Inc operates, the location of documents is likely to be insignificant, since they are likely to be in electronic form, accessible from anywhere in the world”.

Subject to an appeal from Google, the claims will proceed in the UK. Allegations about Google’s conduct in other countries are unlikely to feature. Tugendhat J indicated a focus on what Google has done in the UK, to these individuals: “I think it very unlikely that a court would permit the Claimants in this case to adduce evidence of what Mr Tench refers to as alleged wrongdoing by Google Inc against other individuals, in particular given that it occurred in other parts of the world, governed by laws other than the law of England” (paragraph 47).

Robin Hopkins @hopkinsrobin

High Court to hear Safari users’ privacy claim against Google

Posted on 16th January 2014 | by Robin Hopkins

Panopticon has from time to reported on Google’s jurisdictional argument when faced with privacy/data protection actions in European countries: it tends to argue that such claims should be dismissed and must be brought in California instead. This argument is not always successful.

The same jurisdictional argument was advanced before Mr Justice Tugendhat in response to a claim brought by a group calling itself ‘Safari Users Against Google’s Secret Tracking’ who, as their name suggests, complain that Google unlawfully gathers data from Safari browser usage.

This morning, Mr Justice Tugendhat dismissed that jurisdictional argument. The case can be heard in the UK. Matthew Sparkes reports in the Daily Telegraph that the judge said “I am satisfied that there is a serious issue to be tried in each of the claimant’s claims for misuse of private information” and that “the claimants have clearly established that this jurisdiction is the appropriate one in which to try each of the above claims”.

The same article says that Google will appeal. This follows Google’s announcement yesterday that it will appeal a substantial fine issued by the French data protection authority for unlawful processing (gathering and storing) of user data.

Panopticon will continue to gather data on these and other Google-related matters.

Robin Hopkins @hopkinsrobin

UCAS and the extent of FOIA: Tribunal favours wide approach

Posted on 16th January 2014 | by Robin Hopkins

Transparency advocates often express frustration at the number of bodies which are not within the scope of FOIA, because they are not listed or designated as ‘public authorities’ for FOIA purposes. The Coalition government responded by announcing, in January 2011, that FOIA would be extended to a number of additional bodies. This was done with effect from 1 November 2011, through the Freedom of Information (Designation as Public Authorities) Order 2011. This brought the Association of Chief Police Officers of England, Wales and Northern Ireland (ACPO); the Financial Ombudsman Service and the Universities and Colleges Admissions Service (UCAS) within the scope of FOIA.

As regards UCAS, the difficulty is that this was not done in a straightforward blanket way. In recognition of the diversity of UCAS’ functions, its amenability to FOIA was limited to information relating to the “provision and maintenance of a central applications and admissions service”. This frames UCAS’ duties in a positive way.

This is similar – but not the same as – the approach taken to the BBC, which is subject to FOIA “in respect of information held for purposes other than those of journalism, art or literature”. This frames the BBC’s duties in a negative way.

The Supreme Court in BBC v Sugar (No2) told us how to approach the extent of the BBC’s FOIA duties. How should Sugar be applied to the differently-worded UCAS provision?

This was the issue before the Tribunal in University and College Admission Service v IC and Lord Lucas (EA/2013/0124), the requester (the author of the Good Schools Guide) made a number of requests to UCAS about university admissions. Some were refused on section 12 (cost of compliance) grounds; the ICO agreed with UCAS that the remaining information was exempt under section 43(2) (prejudice to commercial interests). UCAS and the ICO disagreed, however, about the extent to which UCAS was subject to FOIA.

UCAS argued that Sugar required the Tribunal to consider whether the information was held, to any significant degree, for a purpose other than the designation (in particular, UCAS’s commercial functions), and if so, it fell outside the scope of FOIA.

The ICO argued that because the BBC and UCAS were in reverse positions (the BBC being subject to a specific exclusion, and UCAS subject to a specific inclusion), the question should be whether the information was held to any significant degree for the designated purpose, and if so, it fell within the scope of FOIA. Both parties argued that the other was turning Sugar on its head.

The Tribunal adopted the ICO’s analysis of Sugar. The primary purpose of the 2011 Order was to bring UCAS within the scope of FOIA and subject it to the principles of greater openness and transparency that such a designation was designed to bring: at [68]. The focus of the phrase “the provision and maintenance of a central applications and admissions service”, taken with section 7(5) FOIA, is on what is actually caught by FOIA and the purpose of that wording is specifically to include information: at [66].

In favouring this wider approach to the application of FOIA to UCAS, the Tribunal said this:

“71. Most persuasive is the IC’s point that, in construing the scope of the 2011 Designation Order, it is important to recall that Parliament would have been well aware of the existing exemptions provided in FOIA. There is no need to read the 2011 Designation Order narrowly to ensure there is no overlap with a commercial function of UCAS because section 43 FOIA itself provides protection to UCAS in relation to information which prejudices its commercial interests.

72. The approach of UCAS in this case would have the result that only admissions data relating to the currently live admissions round would fall within the scope of FOIA. This surprisingly narrow result is unlikely to have been the one intended by Parliament when designating UCAS as a public authority for FOIA, not least because the ‘”provision and maintenance of a central applications and admissions service” does not suggest such an outcome.”

11KBW’s Chris Knight appeared for the ICO.

Robin Hopkins @hopkinsrobin

Personal data: Tribunal analyses the ‘relates to’ and ‘identification’ limbs

Posted on 9th January 2014 | by Robin Hopkins

I have commented in previous posts on how infrequently the Data Protection Act 1998 has been the subject of substantive litigation before the courts. One consequence of this is persistent uncertainty over how pivotal concepts such as ‘personal data’ are to be analysed and approached.

Last year, the High Court in Kelway v The Upper Tribunal, Northumbria Police and the Information Commissioner (2013) EWHC 2575 (Admin) considered how ‘personal data’ issues should be approached – see for example this piece by Cynthia O’Donoghue of Reed Smith.

The Kelway approach is rather complicated; it remains to be seen whether it is picked up as any sort of guiding test. The imminent Court of Appeal judgment in the Edem case is also likely to add to the picture on how to determine whether information is personal data.

As things stand, such determinations are not always straightforward. Oates v IC and DWP (EA/2013/0040) is a recent example at First-Tier Tribunal level. Mr Oates was medically examined by in connection with his incapacity benefit claim by a doctor engaged by Atos Healthcare. He was dissatisfied and complained to Atos. At the ‘independent tier’ of its complaint investigation, Atos engaged an independent medical practitioner and also an external company tasked with reviewing Atos’ handling of the initial complaint. Mr Oates wanted to know, inter alia, the names of the medical practitioner and of the company.

The DWP refused, relying on FOIA exemptions (section 40(2) and section 43(2)). The ICO decided that the withheld names should have been handled under the DPA rather than FOIA. This was because, in the ICO’s view, the withheld names constituted Mr Oates’ personal data –thus, by section 40(1) of FOIA, it was exempt under FOIA. Mr Oates had to seek it by a subject access request under the DPA instead.

The DWP said these names were not Mr Oates’ personal data. The Tribunal agreed. As to the ‘relates to’ limb of the definition of personal data, it applied Durant v FSA [2003] EWCA Civ 1746: it found there to be sufficient distance between the complaints review procedure and Mr Oates’ personal privacy to mean that the information did not ‘relate to’ him for DPA purposes.

As to the ‘identification’ limb of the definition of personal data, the DWP had argued that Mr Oates could not be identified from these names alone and that it was not in possession of information to link Mr Oates to the requested names. The ICO argued that the request itself provided that link. In other words, by asking for information about his own assessment and complaint, Mr Oates was providing the DWP with information which linked him to the requested names and allowed him to be identified as the person who had been assessed and who had complained.

Its argument was this: “at the moment when the DWP received the Request, it was put into possession of all the information it needed to relate the information requested to an identifiable individual, namely Mr Oates himself. The fact that he sought information about individuals who had been involved in the assessment of his particular complaint created the necessary connection between himself and the requested information – it both related to him and he could be identified from it.”

The Tribunal did not agree with that ‘linking’ argument. It said this:

“… we reject the Information Commissioner’s suggestion that we should take into account the Request itself. We are satisfied that the correct approach is to consider the body of relevant information held by the public authority in question immediately before the request was received. If that information can be seen to relate to the individual, and to identify him or her, then the case for characterising it as that individual’s personal data is made out. But if it does not do so then it is not appropriate, in our view, to close the circle by taking into account the additional information (as to the name of the individual who is both requester and data subject) which is set out in the request itself, in order to.”

Therefore, the ‘identification’ limb of the definition of personal data was not met either. The requested names did not comprise Mr Oates’ own personal data and fell to be dealt with under FOIA rather than through the subject access provisions of the DPA.

The decision in Oates raises a number of questions. For example, on ‘relates to’, the Durant principles are intended to offer guidance in ‘borderline’ cases – implicitly therefore, the Tribunal in Oates appears to have considered this to be a borderline situation.

On ‘identification’, the Tribunal did not mention the principle from Common Services Agency v Scottish Information Commissioner [2008] UKHL 47; [2011] 1 Info LR 184 that the ‘other information’ which can assist with identification of the individual encompasses not only information held by the data controller, but also information held by any person.

This is not to comment on whether the Tribunal reached the right decision or not – rather, it illustrates that the definition and limits of ‘personal data’ continues to raise tricky questions.

11KBW’s Tom Cross appeared for the ICO in Oates.

Robin Hopkins @hopkinsrobin

Just When You Thought it was Safe to Go Back into the Water – The CJEU Gives Judgment in Fish Legal

Posted on 20th December 2013 | by Christopher Knight

Earlier this year, a video went viral. It was a clip of the Ellen DeGeneres talk show in the US, on which she announced – after years of campaigning – that there would be a Finding Nemo 2. The world rejoiced. In an entirely dissimilar way, there is likely to be a strong clamour for the CJEU to produce Fish Legal 2 (although it is likely to be less fun, let alone involve a shark named Bruce). One Fish Legal judgment will not be enough, not for those pesky pescatarians who like judgments to provide answers.

If Julie Andrews has taught us anything, it is that the beginning is a very good place to start. The history of the Fish Legal case, and the AG’s Opinion in it, are covered in my Socratic post here. In short form, the question for the CJEU was whether or not privatised water companies are public authorities such that they owe obligations under the Environmental Information Regulations 2004 (implementing Directive 2003/4).

In its judgment of 19 December 2013, the Grand Chamber of the Court in Case C-279/12 Fish Legal v Information Commissioner opined on this topic. It readily dismissed the suggestions of the case being hypothetical and resolved to deal with the referred questions. At [48] it held that “only entities which, by virtue of a legal basis specifically defined in the national legislation which is applicable to them, are empowered to perform public administrative functions are capable of falling within the category of public authorities that is referred to in Article 2(2)(b) of Directive 2003/4.” It recognised that that did not answer what “public administrative functions” were. In classic CJEU style it set out the tests in the Directive and the facts:

“51 Entities which, organically, are administrative authorities, namely those which form part of the public administration or the executive of the State at whatever level, are public authorities for the purposes of Article 2(2)(a) of Directive 2003/4. This first category includes all legal persons governed by public law which have been set up by the State and which it alone can decide to dissolve.

52 The second category of public authorities, defined in Article 2(2)(b) of Directive 2003/4, concerns administrative authorities defined in functional terms, namely entities, be they legal persons governed by public law or by private law, which are entrusted, under the legal regime which is applicable to them, with the performance of services of public interest, inter alia in the environmental field, and which are, for this purpose, vested with special powers beyond those which result from the normal rules applicable in relations between persons governed by private law.

53 In the present instance, it is not in dispute that the water companies concerned are entrusted, under the applicable national law, in particular the WIA 1991, with services of public interest, namely the maintenance and development of water and sewerage infrastructure as well as water supply and sewage treatment, activities in relation to which, as the European Commission has observed, a number of environmental directives relating to water protection must indeed be complied with.

54 It is also clear from the information provided by the referring tribunal that, in order to perform those functions and provide those services, the water companies concerned have certain powers under the applicable national law, such as the power of compulsory purchase, the power to make byelaws relating to waterways and land in their ownership, the power to discharge water in certain circumstances, including into private watercourses, the right to impose temporary hosepipe bans and the power to decide, in relation to certain customers and subject to strict conditions, to cut off the supply of water.”

It then declined to provide any sort of answer, leaving it to the Upper Tribunal to determine on the case’s return from the stratosphere: at [55]. The key question, at [56], is whether the body is vested under national law with “special powers“. This will not be an easy test to apply. Spiderman and Superman obviously have special powers. Batman does not; he just has a lot of money. Which comic-book hero do privatised industries more closely resemble, and is there a difference of principle between them? Answer came there none.

The second stage of the analysis was whether, because water companies are regulated by Ofwat and the Secretary of State, they are under the control of bodies which are subject to the EIR and so themselves subject. Is an ‘emanation of the State’ in EU law terms (as water companies are) necessarily caught by Article 2(2)(c) of Directive 2003/4? The CJEU gave a fairly strong hint that it normally would be (at [60]), but in the light of the Aarhus Convention basis of the Directive reformulated its analysis:

“68 Those factors lead to the adoption of an interpretation of ‘control’, within the meaning of Article 2(2)(c) of Directive 2003/4, under which this third, residual, category of public authorities covers any entity which does not determine in a genuinely autonomous manner the way in which it performs the functions in the environmental field which are vested in it, since a public authority covered by Article 2(2)(a) or (b) of the directive is in a position to exert decisive influence on the entity’s action in that field.

69 The manner in which such a public authority may exert decisive influence pursuant to the powers which it has been allotted by the national legislature is irrelevant in this regard. It may take the form of, inter alia, a power to issue directions to the entities concerned, whether or not by exercising rights as a shareholder, the power to suspend, annul after the event or require prior authorisation for decisions taken by those entities, the power to appoint or remove from office the members of their management bodies or the majority of them, or the power wholly or partly to deny the entities financing to an extent that jeopardises their existence.

70 The mere fact that the entity in question is, like the water companies concerned, a commercial company subject to a specific system of regulation for the sector in question cannot exclude control within the meaning of Article 2(2)(c) of Directive 2003/4 in so far as the conditions laid down in paragraph 68 of the present judgment are met in the case of that entity.

71 If the system concerned involves a particularly precise legal framework which lays down a set of rules determining the way in which such companies must perform the public functions related to environmental management with which they are entrusted, and which, as the case may be, includes administrative supervision intended to ensure that those rules are in fact complied with, where appropriate by means of the issuing of orders or the imposition of fines, it may follow that those entities do not have genuine autonomy vis-à-vis the State, even if the latter is no longer in a position, following privatisation of the sector in question, to determine their day-to-day management.”

On this topic at least the CJEU may not have answered the question – it again left it for the Upper Tribunal to determine – but it made its feelings as to the likely outcome pretty clear.

In relation to hybrid public authorities, the CJEU was distinctly unkeen on the importation of such an uncertain test: at [76]. The rejection of hybridity in Smartsource is therefore approved. Instead, it concluded that “Article 2(2)(b) of Directive 2003/4 must be interpreted as meaning that a person falling within that provision constitutes a public authority in respect of all the environmental information which it holds. Commercial companies, such as the water companies concerned, which are capable of being a public authority by virtue of Article 2(2)(c) of the directive only in so far as, when they provide public services in the environmental field, they are under the control of a body or person falling within Article 2(2)(a) or (b) of the directive are not required to provide environmental information if it is not disputed that the information does not relate to the provision of such services“: at [83]. So there can be limits in particular types of case (control cases), but otherwise all environmental information is accessible.

Quite what the result of the judgment is going to be is unclear. Hybridity is dead, and there is some greater clarity on when a body can be said to be under the control of a public authority, but the more general test of when public administrative functions are being exercised remains distinctly murky. It is not likely to be very long before a further reference is sought from somewhere, although it probably will not be announced on the Ellen show.

11KBW’s Anya Proops appeared for the Commissioner in the CJEU, and Rachel Kamm did the same before the Upper Tribunal.

A Merry Christmas to all Panopticon’s readers, and may your 2014 bring you boundless information law litigation.

Christopher Knight

WordPress + Bootstrap