Following the Queen’s Speech, an Intellectual Property Bill has been introduced in the House of Lords. Clause 19 inserts a new exemption into the FoIA (Section 22A). The exemption is for continuing programmes of research intended for future publication. Subsection 1(a) of Clause 19 provides that information is exempt from a Section 1(1)(b) FoIA disclosure requirement if it relates to information obtained in the course of, or derived from, a programme of continuing research that is intended for future publication. Subsection (1)(b) of the new Clause, however, provides that the information will be exempt only if disclosure would, or would be likely to, prejudice a matter listed in that subsection. The exemption will not be an absolute exemption. It will be subject to the public interest balance test. Public authorities will not be required to confirm or deny that they hold Section 22A information if, or to the extent that, compliance would, or would be likely to prejudice, any of the matters mentioned in subsection (1)(b). The Government does not consider that the new exemption raises any issues of compatibility under ECHR Article 10.
EIR: when is information ‘held’?
One of the issues which commonly arises for information law practitioners is the question, which arises under both FOIA and the EIR, of whether a public authority actually holds the information which has been requested. The leading case on section 1(1) FOIA is University of Newcastle v IC & British Union for the Abolition of Vivisection [2011] UKUT 185 (AAC), [2011] 2 Info LR 54 and substantially the same approach has been adopted in, for example, Keiller v IC and University of East Anglia [2012] 1 Info LR 128 and Clyne v IC & London Borough of Lambeth [2012] 2 Info LR 24 in relation to regulation 3(2) EIR. What is required is a common-sense and non-technical approach. That, of course, is easier stated than applied.
The issue arose again in Holland v IC & University of East Anglia (EA/2012/0098). Like Keiller, this case was concerned with the Climatic Research Unit (“CRU”) at UEA, the source of the so-called ‘Climategate’ controversy. Readers will recall that in November 2009 there was an unauthorised disclosure of a large number of emails concerning work undertaken at the CRU. The ensuing controversy led the university to set up the Independent Climate Change E-mail Review (“ICCER”) chaired by Sir Muir Russell, which reported in 2010.
Mr Holland, who had made a submission to the ICCER, requested “copies of all of the information held” by it. A lot of information had been published on the ICCER’s own website, and essentially what remained, the tribunal found, was the Review’s “working papers”. It seems not to have been in issue that they were in the physical possession of Sir Muir Russell or his solicitors and not UEA. The issue was, therefore, whether the information was held ‘on behalf of’ UEA for EIR purposes. The Commissioner thought not, and the tribunal agreed with him.
Directing itself by reference to BUAV as well as a number of other FTT decisions, the Tribunal decided that it needed first to examine the nature of the legal and practical relationship between UEA and the ICCER/Sir Muir Russell. It found that the inquiry could have been conducted internally, but that UEA had decided to externalise it not, as Mr Holland had argued, in order to avoid its obligations under FOIA and the EIR, but “at a time when UEA’s credibility was very much at stake, in order to inspire confidence in the independence of the findings” (para 104). It went on to find that there was nothing in the EIR, nor in the Aarhus Convention, which prevents public bodies from externalising functions or which means that environmental information thereby created is necessarily held by the public body (para 105). Although there was no written document evidencing a contract between Sir Muir and UEA, the Tribunal found that a contract did exist (para 108). It did, however, express considerable surprise at the absence of a written contract and of the fact that “there was no discussion … about the information that would be received or generated by the ICCER” (para 110). Nevertheless, the Tribunal accepted that both parties had proceeded on the assumption that UEA would have no claim to or be able to access the information and that it would be held by the ICCER on its own behalf (para 114).
The Tribunal went on to hold that there was no other sense in which the ICCER was beholden to UEA or in which its independence was compromised. It was not, as Mr Holland had argued, merely a ‘sham’: “we do not find it likely that [UEA] would have compounded its problems so greatly, and risked its credibility so completely, by setting up an inquiry that was independent in name only” (para 116). Neither the involvement of a Professor Boulton on the Review panel (who had previously worked for UEA) nor the decision not to publish the Appellant’s submission in full affected the fundamental independence of the ICCER (paras 117-118). It followed that the information requested was not held ‘on behalf of’ UEA and the appeal therefore failed. Interestingly, the Tribunal did perhaps give some succour to Mr Holland by saying in para 122 “It may be that the information should be held by the UEA and there may be good reason why, barring anything provided in confidence, the information should be passed to the UEA to form part of its historical records. Were that to happen, then in the future, the information may be held by the UEA.” Leaving aside the question-begging first sentence (why, in EIR terms, ‘should’ UEA hold this information?), the second sentence is an important reminder that the answer to the question of whether information is held is one which is liable to change over time and with circumstances.
Edd Capewell
Article 8 and enhanced criminal record certificates
There have been a number of Panopticon posts about the lawfulness of disclosures in enhanced criminal record certificates. The latest decision is that of Mr Justice Stuart-Smith in R (L) v Chief Constable of Cumbria Constabulary [2013] EWHC 869 (Admin).
The principles are now well established. In R (L) v Commissioner of Police of the Metropolis [2010] 1 AC 410 the Supreme Court identified that s.113B (4) of the Police Act 1997 requires that information can only be included in an enhanced criminal record certificate if, in the Chief Officer’s opinion, the information might be relevant and ought to be included in the certificate. Where it is alleged that disclosure would breach an individual’s rights under Article 8 ECHR, the Court must take into account up to date information to reach its own judgment (without deference to the Chief Constable) as to whether or not there has been an interference with the applicant’s right to private life and, if such interference has occurred, whether it is lawful.
In this case, the claimant (“L”) was an experienced secondary school teacher aged in his mid-forties. He challenged the Chief Constable of Cumbria Constabulary’s decisions, communicated by letters dated 15 May and 27 July 2012, not to remove contested information from the “other relevant information” section of the claimant’s enhanced criminal record certificates.
The following is an example of the information disclosed to L’s prospective employers:
“Cumbria Constabulary hold the following information which we believe to be relevant to the application of L …. The information relates to an allegation of inappropriate behaviour towards a female pupil of the school where L was employed as a teacher. Cumbria Constabulary believe this information to be relevant to an employer’s risk and suitability assessment when considering L‟s application for the post of supply teacher with vision for education, working with children and vulnerable adults, because the information, which is considered likely to be true, indicates an abuse by L of the position of trust in which he was placed as a teacher.
The information held by police involves an allegation by an 18- year old female that on 07.05.10, whilst in licensed premises, L had inappropriately hugged her and persistently asked her to go home with him, offering her £200 to do so, causing her to feel vulnerable and harassed. The complainant was a pupil at the school where L was employed as a teacher and he had known her since she was 12 or 13 years of age when he was her teacher.
When interviewed by police, L agreed that he had been present that evening but denied all allegations stating that he had not seen or spoken to the complainant. No further police action was taken against L in relation to these allegations as the complainant was 18 years of age and therefore no criminal offences had been committed.
After careful consideration, Cumbria Constabulary considers that this information ought to be disclosed as the alleged incident of inappropriate behaviour occurred in relation to a female pupil of the school where L was a teacher at the time. The information is materially relevant to the post of supply teacher applied for in which L will have regular and unsupervised contact with children and young adults. The risks of similar inappropriate behaviour of a sexual nature by L towards vulnerable young persons must, in this instance, outweigh the prejudicial impact that disclosure may have on L‟s private life and employment prospects as a teacher.”
Mr Justice Stuart-Smith held that the Chief Constable was obliged and right to carry out an assessment of reliability, but that he did not have materials available to him that could justify a determination that some form of communication had taken place between the claimant and the pupil. There was ample material upon which the Chief Constable could have reached the conclusion that the pupil’s evidence may well have been reliable, but the real possibility remained that the allegations were without foundation.
Mr Justice Stuart-Smith went on to find that even if the allegations were true, “the risk disclosed by the one episode of which she complained was not shown to be anything other than slight and was a risk to a very limited class of persons in tightly defined circumstances” (namely, current and former pupils whom L might come across in a pub). The incident alleged was itself relatively minor in the overall scheme of sexually inappropriate behaviour and it was an isolated incident in a long career. The incident had not been properly or fully investigated.
Further, the disclosure was made in circumstances where both the General Teaching Council and the Independent Safeguarding Authority had concluded that there was no case to answer. However, the result of the disclosure “had been as severe for L’s employment prospects as if he had been convicted of a serious offence of sexual misconduct and placed on the Sex Offenders’ Register: it is a killer blow and its effects are likely to be long lasting”.
Mr Justice Stuart-Smith concluded that “any proper balancing exercise comes down in favour of the conclusion that this interference with L’s Article 8 rights is disproportionate and unjustifiable, particularly in a jurisdiction where people are generally to be presumed innocent until proved guilty … the defendant has not shown a pressing need for the disclosure, because of the limited circumstances in which a possible risk of repetition might arise and the relative lack of gravity of the alleged conduct. Nor has the defendant shown that the means used to impair L’s rights are no more than necessary to accomplish a legitimate objective”. The disclosures in the enhanced criminal record certificates had breached his Article 8 ECHR rights.
Rachel Kamm, 11KBW
MPs’ expenses: copies of receipts are subject to FOIA
Following the MPs’ expenses scandal, the then newly-founded Independent Parliamentary Standards Authority (IPSA) decided that it would not routinely publish images of the receipts submitted to IPSA by MPs in support of their expenses claims. Rather, only text transcribed from the submitted receipts was to be published.
The question that arose in IPSA v Information Commissioner (EA/2012/0242) was whether images of those receipts held by IPSA contained “information” within the meaning of section 1 of FOIA, which was not captured by the transcription process favoured by IPSA. In a decision handed down today, the First-Tier Tribunal held that those images do contain such information, and so dismissed IPSA’s appeal. The receipts in question related to claims made by John Bercow MP, Alan Keen MP and George Osborne MP in 2010, which were requested by Mr Brian Leapman of the Daily Telegraph (whose FOIA requests, together with those of others, had played a vital role in the exposure of the old system of MPs’ expenses). The decision is an unusual and interesting instance of the question of “what is information?” arising for consideration in the FOIA context.
Information is defined by section 84 of FOIA (“‘information’ (subject to sections 51(8) and 75(2)) means information recorded in any form”). The tribunal concluded that, in this case, this definition included logos, letterheads, “handwriting/manuscript comments”, and “the layout and style/design of the requested documents” – each of which were not disclosed to Mr Leapman as a result of providing a transcription, rather than a copy, of the relevant receipts. The tribunal rejected IPSA’s submission that those materials were “merely presentational”, and went on to consider further examples of information falling within section 1 of FOIA that could be of forensic value to a person investigating expenses claims by MPs:
“…a signature on an invoice may indicate fraud if it was identical to the claimant’s signature or that of a member of his team; a shoddily presented invoice may call into question the legitimacy of the company said to have issued it, or a letterhead or logo may have changed or be different to the one usually associated with a particular company – again bringing the legitimacy of the invoice into question.”
The tribunal noted that IPSA insists on seeing actual receipts for its own purposes, and that the Chief Executive of IPSA had accepted in evidence that “sight of the receipt might be more informative”.
In arriving to the conclusions above, the tribunal rejected an attempt by IPSA to rely on section 11 of FOIA to justify the method by which it chose to disclose information to Mr Leapman. Section 11(4), permits a public authority to use a means of communicating requested information that is “reasonable in the circumstances”; and section 11(1) requires a public authority to give effect to a preference for a particular form of communication to the extent that it is “reasonably practicable”. IPSA argued that for practical reasons it was not reasonable or reasonably practicable for it to fulfill Mr Leapman’s alleged preference for disclosure by a particular means of communication (see paragraph 14).
The tribunal found, however, that section 11 cannot operate to enable a public authority to limit the information which it is obliged to disclose. Rather, the principle question for the tribunal was whether the disclosure by IPSA to Mr Leapman in fact conveyed all of the non-exempt information contained within the receipts. As the answer to that question was “no”, it was not necessary for the tribunal to go on to consider the applicability of section 11.
Robin Hopkins appeared for the Information Commissioner; Philip Coppel QC appeared for IPSA.
Tom Ogg
Data protection: trends, possibilities and FOI disclosures
At 11KBW’s information law seminar in May, one of the discussion topics was ‘the future of data protection’. Here are some further thoughts on some interesting trends and developments.
Progress at the EU level
A major issue on this front is of course progress on the draft EU Data Protection Regulation – on which see this blog post from the ICO’s David Smith for an overview of the issues currently attracting the most debate. While that negotiation process runs its course, the Article 29 Working Party continues to provide influential guidance for users and regulators on some of the thorniest data protection issues. Its most recent opinion addresses purpose limitation, i.e. the circumstances under which data obtained for one purpose can be put to another. A summary of its views is available here.
Subject access requests
Turning to domestic DPA litigation in the UK, practitioners should watch out for a number of other developments (actual or potential) over the coming months. On the subject access request front, for example, data controllers have tended to take comfort from two themes in recent judgments (such as Elliott and Abadir, both reported on Panopticon). In short, the courts in those cases have agreed that (i) data controllers need only carry out reasonable and proportionate searches, and (ii) that section 7(9) claims being pursued for the collateral purpose of aiding other substantive litigation will be an abuse of process.
Data controllers should, however, note that neither of those points is free from doubt: there are plenty who doubt the legal soundness of the proportionality point, and the abuse of process point has arisen for section 7(9) claims to the court – it should not, in other words, be relied upon too readily to refuse requests themselves.
Damages
Damages under section 13 of the DPA is another area of potentially important change. The Halliday v Creation Consumer Finance case (briefly reported by Panopticon) has been given further discussion in the Criminal Law & Justice Weekly here. Based on that information, perhaps the most interesting point is this: defendants have rightly taken comfort from the requirement under section 13 that compensation for distress can be awarded only where damage has also been suffered. In Halliday, however, nominal damages (of £1) were awarded, thereby apparently fulfilling the ‘damage’ requirement and opening the door for a ‘distress’ award (though note that Panopticon has not yet seen a full judgment from the Court of Appeal in this case, so do not take this as a definitive account). If that approach becomes standard practice, claimants may be in much stronger positions for seeking damages.
A further potential development on the damages front arises out of monetary penalty notices: data controllers who are subject to hefty penalties by the ICO may in some cases also find themselves facing section 13 claims from the affected data subjects themselves, presenting a worrying prospect of paying out twice for the same mistake.
Disclosure of personal data in the FOIA context
In general terms, requesters struggle to obtain the personal data of others through FOIA requests. A couple of very recent decisions have, however, gone the other way.
In White v IC and Carmarthenshire County Council (EA/2012/0238), the First-Tier Tribunal allowed the requester’s appeal and ordered disclosure of a list of licensed dog-breeders in the council’s area. In particular, it concluded that (paragraphs 21-23):
“…the Tribunal believes – on the facts of this case – that an important factor for any assessment in relation to the “fairness” of the disclosure of the personal data is best discovered from the context in which the personal data was provided to the Council in the first place.
22. The context, here, is to secure a commercial licence required by law to breed dogs. That license is necessary for the local authority to know who the licensed dog breeders in that area are, and so that the law can be enforced and welfare checks can be conducted as and when necessary in relation to the welfare of the dogs being bred commercially.
23. Licensing – in the ordinary course of things – is a public regulatory process. Indeed it was a public process in Carmarthenshire, in relation to the information that is at the core of this appeal, until the Council changed its policy in 2008.”
The Tribunal was unimpressed by the suggestive language of a survey of dog breeders which the council had carried out to support its case for non-disclosure. It also noted that a neighbouring council had disclosed such information.
The First-Tier Tribunal issued its decision in Dicker v IC (EA/2012/0250) today. It allowed the requester’s appeal and ordered disclosure of the salary of the chief executive of the NHS Surrey PCT over specified time periods, including total remuneration, expenses allowance, pension contributions and benefit details. As to legitimate interests in disclosure, the Tribunal said that (paragraph 13):
“In this case the arrangements (including secondment and recharge from another public authority at one stage) mean that the arrangements are not as transparent as might be wished and it is not entirely clear from the information published (as opposed to the assurances given) that the national pay guidance has been complied with. Mr Dicker asserted that the CEO was paid in excess of the national framework. The Tribunal was satisfied that there was a legitimate public interest in demonstrating that the national framework had been complied with and that the published information did not properly establish this”.
On the questions of distress and privacy infringements, the Tribunal took this view (paragraph 14):
“The CEO is a prominent public servant discharging heavy responsibilities who must expect to be scrutinised. Individuals in such circumstances are rational, efficient, hard-working and robust. They are fully entitled to a high degree of respect for their private lives. However the protection of personal information about their families and their health is a very different matter from having in the public domain information about income… The Tribunal simply cannot accept that anyone in such a role would feel the slightest distress, or consider that there has been any intrusion or that they would be prejudiced in any way by such information. From the perspective of the individual such information is essentially trivial; indeed, in other European societies, such information would be routinely available.”
If this approach were to become standard, the implications for public authorities would be significant.
Further, there are two very important personal data FOIA cases to look out for in the coming months. Following its decision in the Edem case late in 2012, the Upper Tribunal’s next consideration of personal data in the FOIA context is the appeal in the Morley v IC & Surrey Heath Borough Council (EA/2011/0173) case, in which the Tribunal – in a majority decision in which Facebook disclosures played a significant part – ordered the disclosure of names of certain youth councillors.
More importantly, the Supreme Court will hear an appeal from the Scottish Court of Session in July about a FOISA request for the number of individuals employed by the Council on specific points in the pay structure. The council relied on the personal data exemption (contending that individuals could be identified from the requested information), but the Scottish Information Commissioner ordered disclosure and succeeded before Scotland’s highest court. The Supreme Court will consider issues including the approach to ‘legitimate interests’ under condition 6(1) of schedule 2 to the DPA (the condition most often relied upon in support of disclosing personal data to the public). The case is likely to have far-reaching implications. For more detail, see Alistair Sloan’s blog.
Panopticon will, as ever, keep its eye on these and other related developments.
Robin Hopkins
11KBW Information Law Conference on 18th April 2013 – Richard Thomas CBE to give keynote address
We are delighed that Richard Thomas CBE, the former Information Commissioner, will be giving the keynote address at our conference on 18th April. His title is, “Risk, Accountability and Binding Corporate Codes: New Thinking for the draft Regulation.”
There is a widely-held view that the proposed EU Regulation on data protection is over-burdensome, and focused more on bureaucracy than protection. A more creative and flexible approach is needed, with better-defined outcomes, encouraging businesses which present the greatest risks to adopt comprehensive privacy programmes. Richard Thomas will outline how such an approach could be put at the heart of the Regulation, drawing upon a Risk Framework, the Accountability Principle, and Binding Corporate Codes.
We are also delighted that Richard will be able to join us for the expert panel discussion which will take place immediately after his keynote address.
For full details of the event, including booking information, see our earlier post here.