Penalty shoot out – tribunal decision in scottish borders council appeal

Posted on | by Anya Proops KC

The First-Tier Tribunal has today issued its decision in the Scottish Borders Council monetary penalty notice case – the decision can be found on the tribunal’s website here (11KBW’s Robin Hopkins acted for the ICO). The background to the case is that the ICO had issued SBC with a monetary penalty notice requiring it to pay a penalty of £250,000. The penalty was issued in circumstances where a data processor, appointed by SBC to digitise its pension records, had ended up placing the hard copies of the records in the post box bins at Tesco and another supermarket. In total about 1,600 files had been disposed of in this way. SBC appealed against the imposition of the penalty to the Information Tribunal. The Tribunal held that the penalty was unlawful and, indeed, that the Commissioner had no power to issue a penalty under s. 55A DPA. This was because, whilst SBC had seriously contravened the DPA, the facts and circumstances of the case were such that the contravention was not of a kind likely to cause substantial damage or distress. Thus, an essential precondition for the engagement of the Commissioner’s power to issue a penalty under s. 55A had not been met. I am reluctant to comment further on this decision as I am shortly to be appearing against Timothy Pitt-Payne QC in the first ever appeal to the Upper Tribunal on the application of the monetary penalty regime (Central London Community Healthcare Trust NHS v IC). However, doubtless one of my colleagues will in due course provide illuminating analysis of this important decision.

Anya Proops

New subject access code published by ico

Posted on | by Anya Proops KC

Yesterday I posted about a new and important High Court judgment on the application of the subject access regime. As it happens, yesterday was also the day on which the Information Commissioner published his new ‘Subject Access Code of Practice’. This is an important document which requires careful consideration by anyone working in the DPA field. Points which are particularly worthy of note include the following:

  • subject access a ‘fundamental right’ – The Commissioner identifies the data subject’s right to access his or her personal data as a ‘fundamental right’ (p. 7). However, interestingly the code does not examine in any detail why this is such an important right. Instead, it simply says: ‘Enabling individuals to find out what personal data you hold about them, why you hold it and who you disclose it to is fundamental to good information-handling practice. The Data Protection Act 1998 (DPA) gives individuals the right to require you to do this.’  (p. 5). However, it is important that data controllers understand why the subject access right is such a fundamental right. The answer to this question lies very clearly in the recitals to the EU Directive from which the DPA is derived, Data Protection Directive 95/46/EC. Those recitals make clear that the underlying objective of the data protection regime is to ensure that personal data is handled in a way that properly protects the privacy of data subjects. The subject access regime is designed to support the privacy rights of individuals by ensuring that they are, in effect, able to monitor how data controllers are processing their data.

 

  • requests made by social media – applicants are entitled in principle to make subject access requests via the data controller’s Facebook page, its Twitter account or any other social media sites to which it subscribes, although the Commissioner accepts that this may not be the most effective way to deliver a request in a form which will enable the data controller to respond to it easily and quickly (p. 10).

 

  • a child’s right of access – Data about a child belongs to that child, rather than to any parent or guardian. It is therefore the child which enjoys the right of access to their data, albeit that that right may be exercised on their behalf by their parent or guardian. A variety of considerations come into play when a data controller is asked to respond to a request made by a child directly (p. 11).

 

  • purpose of the request not a relevant consideration at the stage when requests are being responded to – The Commissioner continues to take the position that an applicant’s purpose or motive in making a subject access request does not affect the request’s validity or the data controller’s duty to respond to it (p. 20). This is an important consideration because very often subject access requests are not made for the purpose of ensuring that a data controller is processing the data subject’s data in a manner which safeguards their privacy but rather in order to afford a data subject an advantage in litigation which they are conducting, usually against the data controller. It should be noted that the Commissioner’s position on this issue has yet to be tested by the High Court or any appellate court (cf. the Southern Pacific Personal Loans case I blogged about yesterday and compare the conclusion reached by the Court of Appeal in Abadir, which you can read about here). See further the discussion of the Commissioner’s enforcement powers below.

 

  • scope of the data controller’s search obligations – A key consideration for data controllers when they are responding to subject access requests is how far they have to go when searching their complex, multi-layered information systems for potentially relevant data. The Commissioner has now made clear that considerations of reasonableness and proportionality can properly come into play as and when a data controller is considering how to discharge its search obligations. Thus, the code states that, whilst there are ‘no express limits’ on the search obligation provided for under the DPA, data controllers are: ‘not required to do things that would be unreasonable or disproportionate to the importance of providing subject access to the information’. That said, the code goes on to attenuate the effect of this conclusion by stating that: data controllers should still ‘be prepared to make extensive efforts to find and retrieve the requested information’; any decision as to the scope of the data controller’s search obligations should take into account the fundamental nature of the right afforded under s. 7 and, further, requests cannot be refused simply because they are ‘labour-intensive or inconvenient’ (p. 22). This analysis will give little comfort to small and medium sized businesses where wide-ranging subject access requests may have commercially crippling effects.

 

  • Commissioner’s enforcement functions – The code alludes to the Commissioner’s power to issue an enforcement notice in cases where a data controller has failed to comply with its obligations under the subject access provisions. It makes clear that: a notice will not necessarily be served ‘simply because an organisation has failed to comply with the subject access provisions’; the Commissioner will consider whether the failure is likely to cause or has caused the data subject to suffer damage or distress (as per the requirements of s. 40(2) DPA); whilst he can serve a notice in the absence of  damage or distress, ‘it must be reasonable, in all the circumstances, for him to do so’; and importantly ‘he will not require organisations to take unreasonable or disproportionate steps to comply with the law on subject access’ (p. 53).

 

  • Importantly, the code goes on to allude to the fact that, where an applicant seeks to enforce their subject access rights by going to the court under s. 7(9) DPA, the court may treat the application as an abuse of process if the request has been made against a backdrop of litigation and as a means of accessing information which ought properly to be dealt with through the disclosure process. However, somewhat unhelpfully the code is entirely unclear on whether the Commissioner would regard this as a relevant consideration in the context of the discharge of his statutory enforcement functions. Instead, it simply refers the reader back to the point made in chapter 9 of the code that request cannot be refused based on the purpose for which it was made (p. 59). Of course from the data controllers point of view, it would obviously be entirely unsatisfactory if there were to be an asymmetry in the enforcement regime, with a data subject being able to get a better result if they seek enforcement from the Commissioner under s. 40 as opposed to the result they would get if they went to court under s. 7(9). Query whether the Commissioner ought in the circumstances to be striving to achieve an approach to enforcement which is aligned with the approach adopted by the courts.

Anya Proops

Subject access – important new high court judgment

Posted on | by Anya Proops KC

It is a strange feature of the DPA subject access regime that, despite having extremely far reaching legal effects, to date it only rarely been the subject of judicial analysis. This is in no small part because the costs of bringing disputes over the application of the legislation before the courts are generally prohibitive. As readers of this blog will know, there have been some fairly recent county court judgments which have considered the application of the regime (see in particular the posts on the judgments in Elliott and Abadir here and here). However, jurisprudence emanating from the High Court has been decidedly thin on the ground. Today however the High Court has handed down an important judgment on the application of the regime: In the Matter of the Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Admin). Readers will want to note in particular that part of the judgment where the court considered the relevance of the applicant’s purpose or motive in making a subject access request (SAR) – as discussed below.

The background to the case is somewhat unusual. In summary, a company which is a member of the Lehman Brothers group of companies, Southern Pacific Loans Limited (C), had gone into voluntary liquidation. Prior to the liquidation proceedings, C had been in the business of offering loans to customers, secured by means of a second mortgage on the customer’s property. C had used a third party company (A) to process data relating to certain of the loans and indeed A continues today to hold data relating to tens of thousands of redeemed loans (“the data”). C had received and was continuing to receive numerous subject access requests in respect of the data. The requests had principally been made by claims handling companies which were using the SARs as a device to obtain data relevant to claims which might potentially be brought by C’s customers. In effect therefore the data was being sought in order to advance the customers’ position in the context of prospective litigation rather than for the purposes of ensuring that the customers’ privacy was being properly protected in the context of the processing of their data by C. The costs to C of dealing with the requests was very substantial, averaging at least £40,000 per month (or £455 per request). The liquidators were concerned that a continuation of such costs would potentially have a material impact on the distribution of funds to creditors of C in the liquidation. In a sense this raised the question of whether the right of data subject’s under the DPA could trump those of creditors in a liquidation. The liquidators, seeking to protect the position of the creditors, made an application to the court for declaratory relief which would have the effect of: (a) enabling further subject access requests to be refused and, further, (b) enabling the liquidators to dispose of the data, which were no longer required by C for business purposes.

The following important points emerge from the ratio of the judgment of David Richard J:

  • liquidators cannot be regarded themselves as ‘data controllers’ in respect of data processed by a company in liquidation. This is because liquidators do not act as ‘principals’ in respect of the data but rather as ‘agents’ acting on behalf of the company in liquidation. This is the case irrespective of whether liquidators are acting in the context of voluntary of compulsory liquidations. Thus, liquidators are not personally responsible for ensuring compliance with s. 7 DPA (paras. 17-35)

 

  • so far as the disposal of data is concerned, regard should be had to the fifth data protection principle which obliges data controllers to ensure that data is not processed longer than is necessary for the purposes for which it was processed. Looked at from a DPA perspective, this meant data should be ‘disposed of as soon as possible’ (para. 39). The question was therefore whether there were any legal requirements which, in the present case, acted as impediments on the disposal of the data. There were two impediments potentially in play in the present case:

 

  • first, data could not be disposed of if retention of that data was required in order to enable C to fulfil its statutory subject access obligations in respect of extant SARs (s. 8(6) DPA)

 

  • second, data could not be disposed of if retention of that data was necessary in order for the liquidators to be able to discharge properly their statutory duties as liquidators. In the present case, that meant that particular data could not be disposed of if retention of the data was required in order to deal with claims which may be lodged against C.

Importantly, however: ‘The liquidators are not under a duty to retain data so that it can remain available to be mined by former customers or claims handling companies with a view to making claims against third parties’ (para. 40). The liquidators were at liberty to dispose of all the data, subject to the two qualifications outlined above (para. 41).

The court also made a number of obiter comments which are particularly worthy of note

  • data subjects are not entitled to use the SAR to demand disclosure of documents. Their entitlements extend merely to data rather than to documents (para. 43). (This is of course an important consideration as and when applicants are using the SAR regime to obtain advantages in litigation against the data controller or a third party)

 

  •  properly understood, the Court of Appeal’s judgment in Durant v Financial Services Authority is not authority for the proposition that requests under s. 7 DPA may be refused by the data controller if they are being made for the purposes of furthering the data subject’s position in litigation, as opposed to protecting their privacy. The question of whether SARs could lawfully be refused in these circumstances was a question for another day. However, following Durant, the question of the applicant’s purpose was a factor which was relevant to the exercise of the court’s discretion in the context of an application for enforcement made by the applicant under s. 7(9) DPA (para. 46). This last point will come as some relief to the data controller who is facing a heavily litigation-preoccupied data subject.

The court expressly declined to consider the question of the impact of s. 8(2) DPA (the ‘disproportionate effort’ provision). Thus, it did not examine the question previously considered in Ezsias v Welsh Ministers as to whether data controllers can lawfully limit their searches for personal data by reference to what is reasonable and proportionate in all the circumstances (paras. 47-49).

11KBW’s Robin Hopkins acted for the Information Commissioner.

Anya Proops

What does ‘surveillance’ mean?

Posted on | by Robin Hopkins

A five-member panel of the Investigatory Powers Tribunal last week issued its decision in Re: a Complaint of Surveillance (case no: IPT/A1/2013). The decision was on a preliminary point arising from this sort of factual scenario: suppose you voluntarily participate in an interview with policing/investigatory authorities but, unbeknownst to you, the investigators use a device to record that interview? Would this act of recording constitute ‘surveillance’ for the purposes of the Regulation of Investigatory Powers Act 2000 (RIPA), such that it requires authorisation (assuming it to be ‘directed’) was required? Would it engage your rights under Article 8 ECHR?

There are arguments both ways. As the IPT observed, “the wording in Part II [of RIPA] presents some difficulties for the reasonable reader”. The official guidance publications answer the above questions differently: the Office of the Surveillance Commissioners answers ‘yes’, but the Home Office answers ‘no’.

The IPT has agreed with the Home Office’s interpretation.

By s. 48(2) RIPA, Parliament has chosen not to define ‘surveillance’ as such, but to deem that surveillance shall be construed so as to include certain activities. Those deeming examples extend or amplify the ordinary meaning of ‘surveillance’, the essence of which is that person who is subject to surveillance is intended to remain unaware of those means and does not engage with the person secretly gathering the intelligence. In the IPT’s view, “the notion of a ‘covert interview’ requiring RIPA authorisation is one that is difficult to grasp. An interview is by its very nature an overt intelligence gathering operation in which the interviewee actively participates, even if only to the extent of refusing to answer questions”. Such interviews cannot constitute ‘surveillance’ and Article 8 rights are not engaged here.

It follows that the recording of the interview is not observing or listening to “in the course of surveillance” within the meaning of s. 48(2)(b) of RIPA, and no authorisation is required. The making of the recording only involves the recording process itself. It does not involve a separate act of “observing or listening to” the person being interviewed.

The IPT expressly rejected the contention that, regardless of the purpose, nature or circumstances of the intelligence-gathering activities in question, every act of “observing or listening to persons”, their conversations or communications is automatically treated as surveillance.

Robin Hopkins (@hopkinsrobin)

One hundred years of solicitude

Posted on | by Robin Hopkins

In 2004, a man known as TD was arrested for an alleged sexual assault. He was interviewed twice. No further action was taken. The biometric data was in due course destroyed, as will be the case with others in such positions, thanks to provisions of the Protection of Freedoms Act 2012. But 40 pages of information about his arrest and the allegation are to be retained by the Metropolitan Police in the form of crime reports and a record shall be retained on the Police National Computer until 2104, when the claimant would be 128 years old. The Metropolitan Police’s policy (of August 2012) concerned Serious Specified Offences provides for retention of such information – without review – for a century. It contends that such long-term policing solicitude as regards these types of allegations is supported by research conducted by University College London in 2009.

TD sought judicial review of this retention to decision (i.e. the refusal to delete this information). Last week, in R (TD) v Commissioner of Police for the Metropolis and Secretary of State for the Home Department [2013] EWHC 2231 (Admin), Moses LJ and Burnett J dismissed his application.

The Court surveyed the relevant line of domestic and Strasbourg authorities which have abounded in recent years: R(L), R (C) and (J), S v UK, Catt, MM v UK (the majority of which are covered in Panopticon’s archive).

The Police said its policy will need to be reviewed, but that it was too early to say that the records about TD are of no use.

Moses LJ said this (paragraph 14):

“It is necessary to be cautious as to how far the considerations of the use to which the records may be put take the Commissioner.  Every record of an allegation of crime may be of use for the indefinite future, as the research to which the Commissioner refers demonstrates.  This was the very argument on which the United Kingdom Government relied in Strasbourg in S, relying on the “inestimable value” of the data [91].  But S shows that the fact that material is of potential use, and, certainly, of greater use than in Catt, is not dispositive.  Weighed against that there remains the discomfort or worse that any citizen must feel when the state retains personal information about him, particularly when it relates to an allegation, however unfounded, of a sexual nature.  In S, it was recognised that the mere storage and retention of the data amounted to an interference within the meaning of Article 8 (para 67).”

He concluded, however (and Burnett J agreed) that (paragraph 16):

“In my view, now that only nine years have elapsed and in the knowledge that access to the information is restricted to those who seek to investigate a crime it seems to me, like Richards LJ in J, that the Commissioner has demonstrated that the use to which the records of the allegation may be put justifies their retention, at least for the time being.”

The important qualifier was that the Police’s policy should provide for a review of the retention decision, but again, it was considered too early to order any such review in this case.

This will not be the last in this line of cases. The jurisprudential debate about balancing policing utility with the privacy rights of suspects – particularly concerning the question ‘how long is too long?’  – continues.

Robin Hopkins (@hopkinsrobin)

(Scottish) Data protection litigation – South Lanarkshire and more

Posted on | by Robin Hopkins

I have observed (Panopticon passim) that the Data Protection Act 1998 features surprisingly sparingly in litigation. That appears to be somewhat less true of Scotland: for instance, Common Services Agency [2011] 1 Info LR 184, the leading case on anonymisation and barnardisation, came before the House of Lords from Scottish litigation. Here are two more recent examples, one from today, the other from last month.

South Lanarkshire

The Supreme Court has today given judgment in an appeal from the Inner House of the Scottish Court of Session about a FOI(S)A request for the number of individuals employed by South Lanarkshire Council on specific points in the pay structure, for the purposes of analysing compliance with Equal Pay legislation. The Council relied on the personal data exemption (contending that individuals could be identified from the requested information), but the Scottish Information Commissioner ordered disclosure. The Council’s appeal was dismissed by the Court of Session ([2012] CSIH 30) and, today, by the Supreme Court (South Lanarkshire Council v Scottish IC [2013] UKSC 55).

There were two issues for the Supreme Court. First, what does ‘necessary’ mean when it comes to condition 6(1) of schedule 2 to the DPA (the condition most often relied upon in support of disclosing personal data to the public), which provides that:

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Giving the Court’s judgment, Baroness Hale said that it was obvious that condition 6 requires three questions to be answered: (i) is the data controller or the third party or parties to whom the data are disclosed pursuing a legitimate interest or interests?, (ii) is the processing involved necessary for the purposes of those interests?, and (iii) is the processing unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject? In her view, “it is not obvious why any further exegesis of those questions is required” (paragraph 18).

Further exegesis was, however, required because of the Council’s submissions as to how strictly the term “necessary” should be construed. Baroness Hale’s answer was entirely unsurprising (see paragraphs 25-28). “Necessary” has to be considered in relation to the processing to which it relates. If the processing involves no interference with Article 8 ECHR rights, then it might be thought that all that has to be asked is whether the requester is pursuing a legitimate interest in seeking the information (which was not at issue in this case) and whether he needs that information in order to pursue it. If the processing does engage Article 8 ECHR rights, then “it is well established in community law that, at least in the context of justification rather than derogation, “necessary” means “reasonably” rather than absolutely or strictly necessary”. None of this will come as a surprise – as, for example, Jon Baines has observed in his Information Rights and Wrongs post. Indeed, as Baroness Hale observed, it is unclear that the stricter standard of necessity for which the Council argued would have been any more favourable to it.

The second issue before the Supreme Court was a natural justice challenge. The Scottish IC had asked the applicant a number of questions during his investigation, and had also received letters supporting the request from a number of MPs. This information had not been shared with the Council.

Baroness Hale observed that it was common ground that the Commissioner has a duty to act fairly (see for example Glasgow City Council v Scottish Information Commissioner [2009] CSIH 73, 2010 SC 125). The Commissioner is entitled to make his own enquiries and formulate cases on behalf of applicants, but “he must, of course, give them notice of any new material which his inquiries have elicited and which is adverse to their interests” (paragraph 31). Her Ladyship further observed (paragraphs 31-32) that:

“31. I would add that the Commissioner is fulfilling more than an administrative function. He is adjudicating upon competing claims. And in Scotland, unlike England and Wales, there is no appeal to a tribunal which can decide questions of both fact and law. The Commissioner is the sole finder of facts, with a right of appeal to the Inner House on a point of law only. These factors clearly enhance his duty to be fair. If wrong findings of fact are made as a result of an unfair process, the Inner House will not be able to correct them.

32. However, it does not follow that every communication passing between the Commissioner and the applicant, or between the Commissioner and third parties such as Members of the Scottish Parliament, has to be copied to the public authority…”

In this case, there was no breach of natural justice, and the Council’s appeal failed on both grounds.

Lyons

Another of the more notable recent data protection cases is also Scottish. Additionally, it touches upon another of my observations (see here, for example) about the potential synergies and overlaps between the DPA and defamation. The case is Lyons v Chief Constable of Strathclyde Police [2013] CSIH 46 A681/10, and will be reported in the upcoming edition of the 11KBW/Justis Information Law Reports. In rough outline, the case concerned Mr Lyons’ complaints about two disclosures about him made by the police authority to regulatory/licensing bodies. The police had said that he was recorded on the Scottish Intelligence Database as having been involved in serious organised crime. Mr Lyons denied such involvement, and sued for defamation and damages under section 13 of the DPA.

His defamation claim failed because the police’s communications were made in circumstances which attracted qualified privilege, and were not tainted by malice.

The DPA claim failed too. The accuracy requirement of the fourth data protection principle had not been breached, because even if “Mr Lyons is involved in crime” were inaccurate, “Mr Lyons is recorded on the database as being involved in crime” could not be said to be inaccurate. The police’s reporting of that information arguably lent it some credence, but there was no indication on the facts of unequivocal endorsement of these statements such as to constitute the processing of inaccurate personal data by the police. Here the Court considered the Kordowski DPA/defamation case.

There was also an argument that disclosure of this information had been unfair, though (surprisingly) the case does not appear to have been pleaded as such. The essence of the unfairness argument was that, in Mr Lyons’ view, the police should have contextualised its disclosures by explaining to the recipients the source of the intelligence as to his alleged criminal involvement. The Court of Session dismissed this argument: the police could not sensibly disclose the identities of informants, given the DPA rights of the informants themselves, while Mr Lyons would not be entitled to learn through a subject access request who the informants were (see the exemptions under sections 29 and 31 of the DPA).

Here are a few interesting DPA points to emerge from the Court’s discussion. One is if a data controller endorses the veracity of inaccurate information obtained from someone else, that is not of itself a breach of the DPA (see paragraph 21). Some might query this, at least if applied inflexibly.

A second interesting point is that some might argue as follows: “to present decontextualised allegations in a manner which suggests you consider them credible could surely constitute unfairness. Perhaps you were not required to name your sources, but in the interests of fairness you could at least have made clear that you were passing on information obtained from others whom you considered to be credible”. Roughly that sort of argument seems to have been advanced here; no doubt the facts did not ultimately support it, but stepping back from the facts of this case, the (admittedly woolly and under-litigated) notion of fairness would arguably demand such an approach in many cases.

A third and final point of interest: the complainant relied on what he said were breaches by the police of a number of common law principles emerging from judicial review jurisprudence and the like. The Court was not impressed by their relevance to alleged DPA breaches, at least in the context of this case: see paragraphs 26-27, where the Court suggested that for there to be a DPA breach, there must be a particular DPA requirement which has been breached (though admittedly it did observe earlier in its judgment that ‘lawful’ in the context of the first data protection principle has no special meaning). Some might argue that fairness and lawfulness are designed to be broad enough to encompass principles outside of the black letters of DPA law. Indeed, Article 8 ECHR is increasingly the focus of arguments as to the lawfulness of processing: see for example the ICO’s enforcement notice concerning the use of ANPR cameras in the policing context, issued last week.

In other words, the DPA is not designed to be an entirely self-contained legal world, but rather to protect personal information by reference to all considerations having a bearing on what is being done with that individual’s information, whether or not they are listed by name in the DPA. This is not necessarily a point of disagreement with the Lyons outcome, but a broader observation about what kind of a creature the DPA is, or is intended to be.

Robin Hopkins (@hopkinsrobin)