Article 8 and enhanced criminal record certificates

There have been a number of Panopticon posts about the lawfulness of disclosures in enhanced criminal record certificates. The latest decision is that of Mr Justice Stuart-Smith in R (L) v Chief Constable of Cumbria Constabulary [2013] EWHC 869 (Admin).

The principles are now well established. In R (L) v Commissioner of Police of the Metropolis [2010] 1 AC 410 the Supreme Court identified that s.113B (4) of the Police Act 1997 requires that information can only be included in an enhanced criminal record certificate if, in the Chief Officer’s opinion, the information might be relevant and ought to be included in the certificate. Where it is alleged that disclosure would breach an individual’s rights under Article 8 ECHR, the Court must take into account up to date information to reach its own judgment (without deference to the Chief Constable) as to whether or not there has been an interference with the applicant’s right to private life and, if such interference has occurred, whether it is lawful.

In this case, the claimant (“L”) was an experienced secondary school teacher aged in his mid-forties. He challenged the Chief Constable of Cumbria Constabulary’s decisions, communicated by letters dated 15 May and 27 July 2012, not to remove contested information from the “other relevant information” section of the claimant’s enhanced criminal record certificates.

The following is an example of the information disclosed to L’s prospective employers:

 “Cumbria Constabulary hold the following information which we believe to be relevant to the application of L  …. The information relates to an allegation of inappropriate behaviour towards a female pupil of the school where L was employed as a teacher. Cumbria Constabulary believe this information to be relevant to an employer’s risk and suitability assessment when considering L‟s application for the post of supply teacher with vision for education, working with children and vulnerable adults, because the information, which is considered likely to be true, indicates an abuse by L of the position of trust in which he was placed as a teacher.

The information held by police involves an allegation by an 18- year old female that on 07.05.10, whilst in licensed premises, L had inappropriately hugged her and persistently asked her to go home with him, offering her £200 to do so, causing her to feel vulnerable and harassed. The complainant was a pupil at the school where L was employed as a teacher and he had known her since she was 12 or 13 years of age when he was her teacher.

When interviewed by police, L agreed that he had been present that evening but denied all allegations stating that he had not seen or spoken to the complainant. No further police action was taken against L in relation to these allegations as the complainant was 18 years of age and therefore no criminal offences had been committed.

After careful consideration, Cumbria Constabulary considers that this information ought to be disclosed as the alleged incident of inappropriate behaviour occurred in relation to a female pupil of the school where L was a teacher at the time. The information is materially relevant to the post of supply teacher applied for in which L will have regular and unsupervised contact with children and young adults. The risks of similar inappropriate behaviour of a sexual nature by L towards vulnerable young persons must, in this instance, outweigh the prejudicial impact that disclosure may have on L‟s private life and employment prospects as a teacher.”

Mr Justice Stuart-Smith held that the Chief Constable was obliged and right to carry out an assessment of reliability, but that he did not have materials available to him that could justify a determination that some form of communication had taken place between the claimant and the pupil. There was ample material upon which the Chief Constable could have reached the conclusion that the pupil’s evidence may well have been reliable, but the real possibility remained that the allegations were without foundation.

Mr Justice Stuart-Smith went on to find that even if the allegations were true, “the risk disclosed by the one episode of which she complained was not shown to be anything other than slight and was a risk to a very limited class of persons in tightly defined circumstances” (namely, current and former pupils whom L might come across in a pub). The incident alleged was itself relatively minor in the overall scheme of sexually inappropriate behaviour and it was an isolated incident in a long career. The incident had not been properly or fully investigated.

Further, the disclosure was made in circumstances where both the General Teaching Council and the Independent Safeguarding Authority had concluded that there was no case to answer. However, the result of the disclosure “had been as severe for L’s employment prospects as if he had been convicted of a serious offence of sexual misconduct and placed on the Sex Offenders’ Register: it is a killer blow and its effects are likely to be long lasting”.

Mr Justice Stuart-Smith concluded that “any proper balancing exercise comes down in favour of the conclusion that this interference with L’s Article 8 rights is disproportionate and unjustifiable, particularly in a jurisdiction where people are generally to be presumed innocent until proved guilty … the defendant has not shown a pressing need for the disclosure, because of the limited circumstances in which a possible risk of repetition might arise and the relative lack of gravity of the alleged conduct. Nor has the defendant shown that the means used to impair L’s rights are no more than necessary to accomplish a legitimate objective”. The disclosures in the enhanced criminal record certificates had breached his Article 8 ECHR rights.

Rachel Kamm, 11KBW

MPs’ expenses: copies of receipts are subject to FOIA

Following the MPs’ expenses scandal, the then newly-founded Independent Parliamentary Standards Authority (IPSA) decided that it would not routinely publish images of the receipts submitted to IPSA by MPs in support of their expenses claims.  Rather, only text transcribed from the submitted receipts was to be published.

The question that arose in IPSA v Information Commissioner (EA/2012/0242) was whether images of those receipts held by IPSA contained “information” within the meaning of section 1 of FOIA, which was not captured by the transcription process favoured by IPSA. In a decision handed down today, the First-Tier Tribunal held that those images do contain such information, and so dismissed IPSA’s appeal. The receipts in question related to claims made by John Bercow MP, Alan Keen MP and George Osborne MP in 2010, which were requested by Mr Brian Leapman of the Daily Telegraph (whose FOIA requests, together with those of others, had played a vital role in the exposure of the old system of MPs’ expenses). The decision is an unusual and interesting instance of the question of “what is information?” arising for consideration in the FOIA context.

Information is defined by section 84 of FOIA (“‘information’ (subject to sections 51(8) and 75(2)) means information recorded in any form”).  The tribunal concluded that, in this case, this definition included logos, letterheads, “handwriting/manuscript comments”, and “the layout and style/design of the requested documents” – each of which were not disclosed to Mr Leapman as a result of providing a transcription, rather than a copy, of the relevant receipts.  The tribunal rejected IPSA’s submission that those materials were “merely presentational”, and went on to consider further examples of information falling within section 1 of FOIA that could be of forensic value to a person investigating expenses claims by MPs:

“…a signature on an invoice may indicate fraud if it was identical to the claimant’s signature or that of a member of his team; a shoddily presented invoice may call into question the legitimacy of the company said to have issued it, or a letterhead or logo may have changed or be different to the one usually associated with a particular company – again bringing the legitimacy of the invoice into question.

The tribunal noted that IPSA insists on seeing actual receipts for its own purposes, and that the Chief Executive of IPSA had accepted in evidence that “sight of the receipt might be more informative”.

In arriving to the conclusions above, the tribunal rejected an attempt by IPSA to rely on section 11 of FOIA to justify the method by which it chose to disclose information to Mr Leapman. Section 11(4), permits a public authority to use a means of communicating requested information that is “reasonable in the circumstances”; and section 11(1) requires a public authority to give effect to a preference for a particular form of communication to the extent that it is “reasonably practicable”.  IPSA argued that for practical reasons it was not reasonable or reasonably practicable for it to fulfill Mr Leapman’s alleged preference for disclosure by a particular means of communication (see paragraph 14).

The tribunal found, however, that section 11 cannot operate to enable a public authority to limit the information which it is obliged to disclose.  Rather, the principle question for the tribunal was whether the disclosure by IPSA to Mr Leapman in fact conveyed all of the non-exempt information contained within the receipts.  As the answer to that question was “no”, it was not necessary for the tribunal to go on to consider the applicability of section 11.

Robin Hopkins appeared for the Information Commissioner; Philip Coppel QC appeared for IPSA.

Tom Ogg

Data protection: trends, possibilities and FOI disclosures

At 11KBW’s information law seminar in May, one of the discussion topics was ‘the future of data protection’. Here are some further thoughts on some interesting trends and developments.

Progress at the EU level

A major issue on this front is of course progress on the draft EU Data Protection Regulation – on which see this blog post from the ICO’s David Smith for an overview of the issues currently attracting the most debate. While that negotiation process runs its course, the Article 29 Working Party continues to provide influential guidance for users and regulators on some of the thorniest data protection issues. Its most recent opinion addresses purpose limitation, i.e. the circumstances under which data obtained for one purpose can be put to another. A summary of its views is available here.

Subject access requests

Turning to domestic DPA litigation in the UK, practitioners should watch out for a number of other developments (actual or potential) over the coming months. On the subject access request front, for example, data controllers have tended to take comfort from two themes in recent judgments (such as Elliott and Abadir, both reported on Panopticon). In short, the courts in those cases have agreed that (i) data controllers need only carry out reasonable and proportionate searches, and (ii) that section 7(9) claims being pursued for the collateral purpose of aiding other substantive litigation will be an abuse of process.

Data controllers should, however, note that neither of those points is free from doubt: there are plenty who doubt the legal soundness of the proportionality point, and the abuse of process point has arisen for section 7(9) claims to the court – it should not, in other words, be relied upon too readily to refuse requests themselves.

Damages

Damages under section 13 of the DPA is another area of potentially important change. The Halliday v Creation Consumer Finance case (briefly reported by Panopticon) has been given further discussion in the Criminal Law & Justice Weekly here. Based on that information, perhaps the most interesting point is this: defendants have rightly taken comfort from the requirement under section 13 that compensation for distress can be awarded only where damage has also been suffered. In Halliday, however, nominal damages (of £1) were awarded, thereby apparently fulfilling the ‘damage’ requirement and opening the door for a ‘distress’ award (though note that Panopticon has not yet seen a full judgment from the Court of Appeal in this case, so do not take this as a definitive account). If that approach becomes standard practice, claimants may be in much stronger positions for seeking damages.

A further potential development on the damages front arises out of monetary penalty notices: data controllers who are subject to hefty penalties by the ICO may in some cases also find themselves facing section 13 claims from the affected data subjects themselves, presenting a worrying prospect of paying out twice for the same mistake.

Disclosure of personal data in the FOIA context

In general terms, requesters struggle to obtain the personal data of others through FOIA requests. A couple of very recent decisions have, however, gone the other way.

In White v IC and Carmarthenshire County Council (EA/2012/0238), the First-Tier Tribunal allowed the requester’s appeal and ordered disclosure of a list of licensed dog-breeders in the council’s area. In particular, it concluded that (paragraphs 21-23):

“…the Tribunal believes – on the facts of this case – that an important factor for any assessment in relation to the “fairness” of the disclosure of the personal data is best discovered from the context in which the personal data was provided to the Council in the first place.

22. The context, here, is to secure a commercial licence required by law to breed dogs. That license is necessary for the local authority to know who the licensed dog breeders in that area are, and so that the law can be enforced and welfare checks can be conducted as and when necessary in relation to the welfare of the dogs being bred commercially.

23. Licensing – in the ordinary course of things – is a public regulatory process. Indeed it was a public process in Carmarthenshire, in relation to the information that is at the core of this appeal, until the Council changed its policy in 2008.”

The Tribunal was unimpressed by the suggestive language of a survey of dog breeders which the council had carried out to support its case for non-disclosure. It also noted that a neighbouring council had disclosed such information.

The First-Tier Tribunal issued its decision in Dicker v IC (EA/2012/0250) today. It allowed the requester’s appeal and ordered disclosure of the salary of the chief executive of the NHS Surrey PCT over specified time periods, including total remuneration, expenses allowance, pension contributions and benefit details. As to legitimate interests in disclosure, the Tribunal said that (paragraph 13):

“In this case the arrangements (including secondment and recharge from another public authority at one stage) mean that the arrangements are not as transparent as might be wished and it is not entirely clear from the information published (as opposed to the assurances given) that the national pay guidance has been complied with. Mr Dicker asserted that the CEO was paid in excess of the national framework. The Tribunal was satisfied that there was a legitimate public interest in demonstrating that the national framework had been complied with and that the published information did not properly establish this”.

On the questions of distress and privacy infringements, the Tribunal took this view (paragraph 14):

“The CEO is a prominent public servant discharging heavy responsibilities who must expect to be scrutinised. Individuals in such circumstances are rational, efficient, hard-working and robust. They are fully entitled to a high degree of respect for their private lives. However the protection of personal information about their families and their health is a very different matter from having in the public domain information about income… The Tribunal simply cannot accept that anyone in such a role would feel the slightest distress, or consider that there has been any intrusion or that they would be prejudiced in any way by such information. From the perspective of the individual such information is essentially trivial; indeed, in other European societies, such information would be routinely available.”

If this approach were to become standard, the implications for public authorities would be significant.

Further, there are two very important personal data FOIA cases to look out for in the coming months. Following its decision in the Edem case late in 2012, the Upper Tribunal’s next consideration of personal data in the FOIA context is the appeal in the Morley v IC & Surrey Heath Borough Council (EA/2011/0173) case, in which the Tribunal – in a majority decision in which Facebook disclosures played a significant part – ordered the disclosure of names of certain youth councillors.

More importantly, the Supreme Court will hear an appeal from the Scottish Court of Session in July about a FOISA request for the number of individuals employed by the Council on specific points in the pay structure. The council relied on the personal data exemption (contending that individuals could be identified from the requested information), but the Scottish Information Commissioner ordered disclosure and succeeded before Scotland’s highest court. The Supreme Court will consider issues including the approach to ‘legitimate interests’ under condition 6(1) of schedule 2 to the DPA (the condition most often relied upon in support of disclosing personal data to the public). The case is likely to have far-reaching implications. For more detail, see Alistair Sloan’s blog.

Panopticon will, as ever, keep its eye on these and other related developments.

Robin Hopkins

11KBW Information Law Conference on 18th April 2013 – Richard Thomas CBE to give keynote address

We are delighed that Richard Thomas CBE, the former Information Commissioner, will be giving the keynote address at our conference on 18th April.  His title is, “Risk, Accountability and Binding Corporate Codes: New Thinking for the draft Regulation.”

There is a widely-held view that the proposed EU Regulation on data protection is over-burdensome, and focused more on bureaucracy than protection. A more creative and flexible approach is needed, with better-defined outcomes, encouraging businesses which present the greatest risks to adopt comprehensive privacy programmes. Richard Thomas will outline how such an approach could be put at the heart of the Regulation, drawing upon a Risk Framework, the Accountability Principle, and Binding Corporate Codes.

We are also delighted that Richard will be able to join us for the expert panel discussion which will take place immediately after his keynote address.

For full details of the event, including booking information, see our earlier post here.

 

You wait ages for an official report about the ICO’s data protection audit powers

… and then two come along at once.

On 21st March 2013 the House of Commons Justice Committee published a report about the ICO (see our earlier post here), recommending, among other matters, that the ICO should be given the power to carry out compulsory data protection audits of NHS Trusts and local authorities. With uncanny speed, on 25th March 2013 the Ministry of Justice (MOJ) published a consultation document on the proposed extension of the ICO’s compulsory audit powers to cover NHS bodies. Despite the coincidence of timing, the MOJ’s proposal is not in fact a response to the Justice Committee’s report, but is prompted by a recommendation from the ICO itself.

The MOJ’s consultation document asserts that significant data protection compliance problems exist within the NHS. Over the last six calendar years (2007-2012) the ICO has received over 5,000 data protection complaints from individuals about the health sector: the only sectors that have generated more complaints over that period are lenders, local government, and general business. During the same period, the NHS self-reported over 500 data security breaches to the ICO. The MOJ document gives six examples of monetary penalty notices against NHS bodies, for amounts ranging between £60,000 and £325,000.

The ICO can already carry out consensual audits of NHS bodies; the MOJ document refers to a number of issues that have been highlighted as a result of these, including the use of unencrypted mobile media holding sensitive personal data. Most NHS consensual audits have come about as a result of referrals from the ICO’s Enforcement team, but of the NHS organisations referred for audit by Enforcement only 53% have agreed. This compares unfavourably to the 71% level of agreement for the public sector as a whole.

A compulsory audit can be initiated by the ICO serving an “assessment notice” under DPA section 41A. Where this power exists, data controllers can still agree to consensual audits; and according to the MOJ report, no assessment notices have yet been served, because 100% of data controllers covered by the existing scope of section 41A have agreed to an audit when asked to do so by the ICO. In other words, the mere existence of the power of compulsory audit has been enough to secure compliance, meaning that so far there has been no need for the ICO to use the power.

The MOJ’s proposal to extend the power of compulsory audit does not require primary legislation: it would be given effect by an order made by the Secretary of State under section 41A(2)(b) of the Data Protection Act 1998. All public authority data controllers in the NHS would be covered, throughout the UK. In other words, the proposal would cover all NHS bodies listed in Part III of Schedule 1 to the Freedom of Information Act 2000 (likely to be amended following NHS reforms in England), and all Health Service data controllers in Scotland listed in Part 4 of Schedule 1 to the Freedom of Information (Scotland) Act 2002. Note that the proposals will not cover private or third sector health bodies providing services to the NHS, though the MOJ document refers to the possibility of a further order to include these bodies at a later date.

The consultation will remain open until 17th May 2013.

Timothy Pitt-Payne QC

 

11KBW Information Law Conference, 18th April 2013

11KBW is a leading set of barristers in Information Law with a wide range of expertise across all aspects of this complex and rapidly evolving area.

Chair
Timothy Pitt-Payne QC

Venue
The Royal College of Surgeons of England, 35-43 Lincoln Inn Fields, London WC2A 3PE

Topics include
The Crown Jewels? – Safe space, policy and the veto
FOI use and abuse – Costs, vexatious and repeated requests, and search obligations
Recent cases in FOIA/EIR
Going to penalties – MPNs, handling and reporting data breaches
Privacy, safeguarding and surveillance – (including T v Greater Manchester, and Southampton v ICO)
Social media and the law

We are delighted to have Richard Thomas CBE, the former Information Commissioner for the UK, giving a keynote address at the conference.

An expert panel will be discussing ” The future of data protection”.

Full Programme click here.

CPD
The conference will be credited 4.5 hours CPD – SRA/BSB

Cost
£99 + VAT (20%) = £118.80 to attend half day plus lunch
£150 + VAT (20%) = £180.00 to attend full day

How to Book
To book your place on this conference please email RSVP@11kbw.com with the delegate name, firm, email address and any purchase order details you may require. You will be then sent a confirmation email of your place and invoiced. We do not have the facilities to accept payments by credit or debit cards.