MPs’ expenses: copies of receipts are subject to FOIA

Posted on | by Panopticon Blog

Following the MPs’ expenses scandal, the then newly-founded Independent Parliamentary Standards Authority (IPSA) decided that it would not routinely publish images of the receipts submitted to IPSA by MPs in support of their expenses claims.  Rather, only text transcribed from the submitted receipts was to be published.

The question that arose in IPSA v Information Commissioner (EA/2012/0242) was whether images of those receipts held by IPSA contained “information” within the meaning of section 1 of FOIA, which was not captured by the transcription process favoured by IPSA. In a decision handed down today, the First-Tier Tribunal held that those images do contain such information, and so dismissed IPSA’s appeal. The receipts in question related to claims made by John Bercow MP, Alan Keen MP and George Osborne MP in 2010, which were requested by Mr Brian Leapman of the Daily Telegraph (whose FOIA requests, together with those of others, had played a vital role in the exposure of the old system of MPs’ expenses). The decision is an unusual and interesting instance of the question of “what is information?” arising for consideration in the FOIA context.

Information is defined by section 84 of FOIA (“‘information’ (subject to sections 51(8) and 75(2)) means information recorded in any form”).  The tribunal concluded that, in this case, this definition included logos, letterheads, “handwriting/manuscript comments”, and “the layout and style/design of the requested documents” – each of which were not disclosed to Mr Leapman as a result of providing a transcription, rather than a copy, of the relevant receipts.  The tribunal rejected IPSA’s submission that those materials were “merely presentational”, and went on to consider further examples of information falling within section 1 of FOIA that could be of forensic value to a person investigating expenses claims by MPs:

“…a signature on an invoice may indicate fraud if it was identical to the claimant’s signature or that of a member of his team; a shoddily presented invoice may call into question the legitimacy of the company said to have issued it, or a letterhead or logo may have changed or be different to the one usually associated with a particular company – again bringing the legitimacy of the invoice into question.

The tribunal noted that IPSA insists on seeing actual receipts for its own purposes, and that the Chief Executive of IPSA had accepted in evidence that “sight of the receipt might be more informative”.

In arriving to the conclusions above, the tribunal rejected an attempt by IPSA to rely on section 11 of FOIA to justify the method by which it chose to disclose information to Mr Leapman. Section 11(4), permits a public authority to use a means of communicating requested information that is “reasonable in the circumstances”; and section 11(1) requires a public authority to give effect to a preference for a particular form of communication to the extent that it is “reasonably practicable”.  IPSA argued that for practical reasons it was not reasonable or reasonably practicable for it to fulfill Mr Leapman’s alleged preference for disclosure by a particular means of communication (see paragraph 14).

The tribunal found, however, that section 11 cannot operate to enable a public authority to limit the information which it is obliged to disclose.  Rather, the principle question for the tribunal was whether the disclosure by IPSA to Mr Leapman in fact conveyed all of the non-exempt information contained within the receipts.  As the answer to that question was “no”, it was not necessary for the tribunal to go on to consider the applicability of section 11.

Robin Hopkins appeared for the Information Commissioner; Philip Coppel QC appeared for IPSA.

Tom Ogg

Data protection: trends, possibilities and FOI disclosures

Posted on | by Robin Hopkins

At 11KBW’s information law seminar in May, one of the discussion topics was ‘the future of data protection’. Here are some further thoughts on some interesting trends and developments.

Progress at the EU level

A major issue on this front is of course progress on the draft EU Data Protection Regulation – on which see this blog post from the ICO’s David Smith for an overview of the issues currently attracting the most debate. While that negotiation process runs its course, the Article 29 Working Party continues to provide influential guidance for users and regulators on some of the thorniest data protection issues. Its most recent opinion addresses purpose limitation, i.e. the circumstances under which data obtained for one purpose can be put to another. A summary of its views is available here.

Subject access requests

Turning to domestic DPA litigation in the UK, practitioners should watch out for a number of other developments (actual or potential) over the coming months. On the subject access request front, for example, data controllers have tended to take comfort from two themes in recent judgments (such as Elliott and Abadir, both reported on Panopticon). In short, the courts in those cases have agreed that (i) data controllers need only carry out reasonable and proportionate searches, and (ii) that section 7(9) claims being pursued for the collateral purpose of aiding other substantive litigation will be an abuse of process.

Data controllers should, however, note that neither of those points is free from doubt: there are plenty who doubt the legal soundness of the proportionality point, and the abuse of process point has arisen for section 7(9) claims to the court – it should not, in other words, be relied upon too readily to refuse requests themselves.

Damages

Damages under section 13 of the DPA is another area of potentially important change. The Halliday v Creation Consumer Finance case (briefly reported by Panopticon) has been given further discussion in the Criminal Law & Justice Weekly here. Based on that information, perhaps the most interesting point is this: defendants have rightly taken comfort from the requirement under section 13 that compensation for distress can be awarded only where damage has also been suffered. In Halliday, however, nominal damages (of £1) were awarded, thereby apparently fulfilling the ‘damage’ requirement and opening the door for a ‘distress’ award (though note that Panopticon has not yet seen a full judgment from the Court of Appeal in this case, so do not take this as a definitive account). If that approach becomes standard practice, claimants may be in much stronger positions for seeking damages.

A further potential development on the damages front arises out of monetary penalty notices: data controllers who are subject to hefty penalties by the ICO may in some cases also find themselves facing section 13 claims from the affected data subjects themselves, presenting a worrying prospect of paying out twice for the same mistake.

Disclosure of personal data in the FOIA context

In general terms, requesters struggle to obtain the personal data of others through FOIA requests. A couple of very recent decisions have, however, gone the other way.

In White v IC and Carmarthenshire County Council (EA/2012/0238), the First-Tier Tribunal allowed the requester’s appeal and ordered disclosure of a list of licensed dog-breeders in the council’s area. In particular, it concluded that (paragraphs 21-23):

“…the Tribunal believes – on the facts of this case – that an important factor for any assessment in relation to the “fairness” of the disclosure of the personal data is best discovered from the context in which the personal data was provided to the Council in the first place.

22. The context, here, is to secure a commercial licence required by law to breed dogs. That license is necessary for the local authority to know who the licensed dog breeders in that area are, and so that the law can be enforced and welfare checks can be conducted as and when necessary in relation to the welfare of the dogs being bred commercially.

23. Licensing – in the ordinary course of things – is a public regulatory process. Indeed it was a public process in Carmarthenshire, in relation to the information that is at the core of this appeal, until the Council changed its policy in 2008.”

The Tribunal was unimpressed by the suggestive language of a survey of dog breeders which the council had carried out to support its case for non-disclosure. It also noted that a neighbouring council had disclosed such information.

The First-Tier Tribunal issued its decision in Dicker v IC (EA/2012/0250) today. It allowed the requester’s appeal and ordered disclosure of the salary of the chief executive of the NHS Surrey PCT over specified time periods, including total remuneration, expenses allowance, pension contributions and benefit details. As to legitimate interests in disclosure, the Tribunal said that (paragraph 13):

“In this case the arrangements (including secondment and recharge from another public authority at one stage) mean that the arrangements are not as transparent as might be wished and it is not entirely clear from the information published (as opposed to the assurances given) that the national pay guidance has been complied with. Mr Dicker asserted that the CEO was paid in excess of the national framework. The Tribunal was satisfied that there was a legitimate public interest in demonstrating that the national framework had been complied with and that the published information did not properly establish this”.

On the questions of distress and privacy infringements, the Tribunal took this view (paragraph 14):

“The CEO is a prominent public servant discharging heavy responsibilities who must expect to be scrutinised. Individuals in such circumstances are rational, efficient, hard-working and robust. They are fully entitled to a high degree of respect for their private lives. However the protection of personal information about their families and their health is a very different matter from having in the public domain information about income… The Tribunal simply cannot accept that anyone in such a role would feel the slightest distress, or consider that there has been any intrusion or that they would be prejudiced in any way by such information. From the perspective of the individual such information is essentially trivial; indeed, in other European societies, such information would be routinely available.”

If this approach were to become standard, the implications for public authorities would be significant.

Further, there are two very important personal data FOIA cases to look out for in the coming months. Following its decision in the Edem case late in 2012, the Upper Tribunal’s next consideration of personal data in the FOIA context is the appeal in the Morley v IC & Surrey Heath Borough Council (EA/2011/0173) case, in which the Tribunal – in a majority decision in which Facebook disclosures played a significant part – ordered the disclosure of names of certain youth councillors.

More importantly, the Supreme Court will hear an appeal from the Scottish Court of Session in July about a FOISA request for the number of individuals employed by the Council on specific points in the pay structure. The council relied on the personal data exemption (contending that individuals could be identified from the requested information), but the Scottish Information Commissioner ordered disclosure and succeeded before Scotland’s highest court. The Supreme Court will consider issues including the approach to ‘legitimate interests’ under condition 6(1) of schedule 2 to the DPA (the condition most often relied upon in support of disclosing personal data to the public). The case is likely to have far-reaching implications. For more detail, see Alistair Sloan’s blog.

Panopticon will, as ever, keep its eye on these and other related developments.

Robin Hopkins

11KBW Information Law Conference on 18th April 2013 – Richard Thomas CBE to give keynote address

Posted on | by Timothy Pitt-Payne KC

We are delighed that Richard Thomas CBE, the former Information Commissioner, will be giving the keynote address at our conference on 18th April.  His title is, “Risk, Accountability and Binding Corporate Codes: New Thinking for the draft Regulation.”

There is a widely-held view that the proposed EU Regulation on data protection is over-burdensome, and focused more on bureaucracy than protection. A more creative and flexible approach is needed, with better-defined outcomes, encouraging businesses which present the greatest risks to adopt comprehensive privacy programmes. Richard Thomas will outline how such an approach could be put at the heart of the Regulation, drawing upon a Risk Framework, the Accountability Principle, and Binding Corporate Codes.

We are also delighted that Richard will be able to join us for the expert panel discussion which will take place immediately after his keynote address.

For full details of the event, including booking information, see our earlier post here.

 

You wait ages for an official report about the ICO’s data protection audit powers

Posted on | by Timothy Pitt-Payne KC

… and then two come along at once.

On 21st March 2013 the House of Commons Justice Committee published a report about the ICO (see our earlier post here), recommending, among other matters, that the ICO should be given the power to carry out compulsory data protection audits of NHS Trusts and local authorities. With uncanny speed, on 25th March 2013 the Ministry of Justice (MOJ) published a consultation document on the proposed extension of the ICO’s compulsory audit powers to cover NHS bodies. Despite the coincidence of timing, the MOJ’s proposal is not in fact a response to the Justice Committee’s report, but is prompted by a recommendation from the ICO itself.

The MOJ’s consultation document asserts that significant data protection compliance problems exist within the NHS. Over the last six calendar years (2007-2012) the ICO has received over 5,000 data protection complaints from individuals about the health sector: the only sectors that have generated more complaints over that period are lenders, local government, and general business. During the same period, the NHS self-reported over 500 data security breaches to the ICO. The MOJ document gives six examples of monetary penalty notices against NHS bodies, for amounts ranging between £60,000 and £325,000.

The ICO can already carry out consensual audits of NHS bodies; the MOJ document refers to a number of issues that have been highlighted as a result of these, including the use of unencrypted mobile media holding sensitive personal data. Most NHS consensual audits have come about as a result of referrals from the ICO’s Enforcement team, but of the NHS organisations referred for audit by Enforcement only 53% have agreed. This compares unfavourably to the 71% level of agreement for the public sector as a whole.

A compulsory audit can be initiated by the ICO serving an “assessment notice” under DPA section 41A. Where this power exists, data controllers can still agree to consensual audits; and according to the MOJ report, no assessment notices have yet been served, because 100% of data controllers covered by the existing scope of section 41A have agreed to an audit when asked to do so by the ICO. In other words, the mere existence of the power of compulsory audit has been enough to secure compliance, meaning that so far there has been no need for the ICO to use the power.

The MOJ’s proposal to extend the power of compulsory audit does not require primary legislation: it would be given effect by an order made by the Secretary of State under section 41A(2)(b) of the Data Protection Act 1998. All public authority data controllers in the NHS would be covered, throughout the UK. In other words, the proposal would cover all NHS bodies listed in Part III of Schedule 1 to the Freedom of Information Act 2000 (likely to be amended following NHS reforms in England), and all Health Service data controllers in Scotland listed in Part 4 of Schedule 1 to the Freedom of Information (Scotland) Act 2002. Note that the proposals will not cover private or third sector health bodies providing services to the NHS, though the MOJ document refers to the possibility of a further order to include these bodies at a later date.

The consultation will remain open until 17th May 2013.

Timothy Pitt-Payne QC

 

11KBW Information Law Conference, 18th April 2013

Posted on | by Panopticon Blog

11KBW is a leading set of barristers in Information Law with a wide range of expertise across all aspects of this complex and rapidly evolving area.

Chair
Timothy Pitt-Payne QC

Venue
The Royal College of Surgeons of England, 35-43 Lincoln Inn Fields, London WC2A 3PE

Topics include
The Crown Jewels? – Safe space, policy and the veto
FOI use and abuse – Costs, vexatious and repeated requests, and search obligations
Recent cases in FOIA/EIR
Going to penalties – MPNs, handling and reporting data breaches
Privacy, safeguarding and surveillance – (including T v Greater Manchester, and Southampton v ICO)
Social media and the law

We are delighted to have Richard Thomas CBE, the former Information Commissioner for the UK, giving a keynote address at the conference.

An expert panel will be discussing ” The future of data protection”.

Full Programme click here.

CPD
The conference will be credited 4.5 hours CPD – SRA/BSB

Cost
£99 + VAT (20%) = £118.80 to attend half day plus lunch
£150 + VAT (20%) = £180.00 to attend full day

How to Book
To book your place on this conference please email RSVP@11kbw.com with the delegate name, firm, email address and any purchase order details you may require. You will be then sent a confirmation email of your place and invoiced. We do not have the facilities to accept payments by credit or debit cards.

The Justice Committee and the Information Commissioner

Posted on | by Timothy Pitt-Payne KC

On 21st March 2013 the House of Commons Justice Committee published a report (HC 962) on the functions, powers and resources of the Information Commissioner.  It is essential reading for anyone interested in understanding the current role and future prospects of the Information Commissioner’s Office (ICO).

 

The Committee monitors the Ministry of Justice’s associated public bodies, and as part of this remit it maintains a close interest in the ICO.  On 5th February 2013 the Committee held an oral evidence session with the Commissioner and his two deputies; it also received written evidence and supplementary information from the ICO.  The report reflects this oral and written evidence.

 

The report begins by looking at the finances of the ICO in an era of public sector austerity.   The ICO performs two separate areas of work, differently funded.  Freedom of information (FOI) work is paid for by grant-in-aid from the Ministry of Justice, while data protection work is financed by the notification fee payable by data controllers under the Data Protection Act 1998 (DPA).  The Commissioner is restricted in terms of “virement” – i.e. in general he cannot use DPA resources to fund FOI work, or vice versa.

 

As one would expect, freedom of information funding has been affected by the general pressures on public expenditure:  the income for this work has been cut from £5.5 million in 2011-12 to £4.25 million in 2012-13, with the ICO planning for further cuts in 2013-14.  Despite these cuts, the ICO has increased the amount of FOI casework completed, and reduced its backlog in this area.  The Committee is impressed by the ICO’s success in this regard, while warning that further budget cuts would risk adversely affecting performance.  The Committee suggests that the rules about virement should be relaxed.

 

The suggestion that DPA income might be used to subsidise FOI work seems a sensible one.  There is considerable overlap – FOI cases about personal data are a very important source of DPA case law.  However, it is disappointing that the Committee did not tackle more directly the question of whether FOI budget cuts make sense.  An effective FOI regime is a weapon against waste and fraud, and can help keep public expenditure under control.  The sums involved are modest, in the overall expenditure context – even the 2011-12 figure represents less than 10p per head of UK population.  It is, at the very least, worth considering whether cutting FOI funding is a false economy.

 

At first sight the funding position for DPA work seems significantly better.  The notification fee generates an annual income of some £15 million, over three times the FOI grant-in-aid.  The problem is that the EU’s proposed Data Protection Regulation would abolish the notification fee, while at the same time imposing a wide range of additional functions on the ICO.  The Committee suggests that the combined effect of these proposals would leave the ICO with a DPA funding shortfall of over £42 million.  The position is made yet more difficult by the recommendations in the Leveson Report as to the future role of the ICO in relation to the press, which are a further source of potential demands on the ICO’s budget.  The Committee suggests that the Government needs to find a way of retaining a fee-based self-financing system for ICO work, despite the current EU proposals.

 

Turning to the structure of the ICO, the Committee discusses the suggestion in the Leveson report that there should be an Information Commission led by a Board of Commissioners, rather than a single Information Commissioner.  The Committee disagrees:  it prefers the current model, with a single Commissioner taking personal accountability for the ICO’s work.  The Committee also addresses the independence of the ICO.  It recommends that the ICO should become directly responsible to and funded by Parliament, so as to guarantee its independence from the Executive.  However, the Committee does not suggest that the ICO’s independence has in fact been compromised in the past by its institutional relationship with the Ministry of Justice.

 

As to the ICO’s statutory powers under the DPA, the Committee makes recommendations in two areas.

 

In relation to the criminal offence under DPA section 55, the Committee suggests that this should be made recordable – that is, convictions should be recorded on the Police National Computer and hence included in any future checks relating to the individual’s criminal record.  The Committee also calls on the Government to bring into force section 77 of the Criminal Justice and Immigration Act 2008, so as to allow custodial sentences to be imposed for breach of DPA section 55.  The Committee sets out  – at §43 of its report – a list of other offences carrying custodial penalties for which those who breach DPA section 55 might be convicted:  for instance, there is the offence of unauthorised access to computer material, under the Computer Misuse Act 1990.  The Committee does not, however, regard the existence of these other offences as an adequate substitute for custodial penalties under DPA section 55.

 

In relation to the Commissioner’s audit powers, the Committee considers that as a general rule public sector organisations should accept an offer of a free DPA audit from the Commissioner.  It recommends that the Commissioner’s power of compulsory audit under DPA section 41A should be extended to NHS Trusts and local authorities.

Timothy Pitt-Payne QC