Thirteen deadly sins: new ICO guidance on vexatious requests

Posted on | by Robin Hopkins

On Wednesday, the ICO launched its new guidance on section 14 (vexatious requests) on Wednesday. This follows the Upper Tribunal’s recent decisions on this exemption (Panopticon passim), as well as decisions such as Salford City Council v IC and TieKey Accounts (EA/2012/0047) concerning reliance on section 14 to avoid incurring unreasonable cost burdens.

The ICO’s long-standing 5 indicators are supplanted by a new list of 13 indicators – though the emphasis remains on their not being intended as pseudo-statutory tests (and thus they are not really ‘deadly sins’). The thirteen indicators are (in no particular order):

abusive or aggressive language; burden on the authority; personal grudges; unreasonable persistence; unfounded accusations; intransigence; frequent or overlapping requests; deliberate intention to cause annoyance; scattergun approach; disproportionate effort; no obvious intent to obtain information; futile requests; frivolous requests.

The guidance addresses such topics as round robins, fishing expeditions and requesters acting in concert/as part of a campaign, all of which arise frequently for consideration by public authorities. There is also a section on “recommended actions before making a final decision” (paragraphs 93-97) which public authorities would be wise to consider with an eye on complaints to the ICO from dissatisfied recipients of section 14 notices.

For discussions of the new guidance, see these blog posts from the ICO’s Deputy Commissioner, Graham Smith, and also from FOI Man.

Robin Hopkins

Google: autocomplete and the frontiers of privacy

Posted on | by Robin Hopkins

Unsurprisingly, the frontiers of privacy and data protection law are often explored and extended by reference to what Google does. Panopticon has, for example, covered disputes over Google Street View (on which a US lawsuit was settled in recent months), Google’s status as a ‘publisher’ of blogs containing allegedly defamatory material (see Tamiz v Google [2013] EWCA Civ 68) and its responsibility for search results directing users to allegedly inaccurate or out-of-date personal data (see Google Spain v Agencia Espanola de Proteccion de Datos (application C-131/12), in which judgment is due in the coming months).

A recent decision of a German appellate court appears to have extended the frontiers further. The case (BGH, VI ZR 269/12 of 14th May 2013) concerned Google’s ‘autocomplete’ function. When the complainants’ names were typed into Google’s search bar, the autocomplete function added the ensuing words “Scientology” and “fraud”. This was not because there was lots of content linking that individual with those terms. Rather, it was because these were the terms other Google users had most frequently searched for in conjunction with that person’s name. This was due to rumours the truth or accuracy of which the complainants denied. They complained that the continuing association of their names with these terms infringed their rights to personality and reputation as protected by German law (Articles 823(1) and 1004 of the German Civil Code).

In the Google Spain case, Google has said that the responsibility lies with the generators of the content, not with the search engine which offers users that content. In the recent German case, Google has argued in a similar vein that the autocomplete suggestions are down to what other users have searched for, not what Google says or does.

In allowing the complainants’ appeals, the Federal Court of Justice in Karlsruhe has disagreed with Google. The result is that once Google has been alerted to the fact that an autocomplete suggestion links someone to libellous words, it must remove that suggestion. The case is well covered by Jeremy Phillips at IPKat and by Karin Matussek of Bloomberg in Berlin.

The case is important in terms of the frontiers of legal protection for personal integrity and how we allocate responsibility for harm. Google says that, in these contexts, it is a facilitator not a generator. It says it should not liable for what people write (see Tamiz and Google Spain), not for what they search for (the recent German case). Not for the first time, courts in Europe have allocated responsibility differently.

Notably, this case was not brought under data protection law. In principle, it seems that such complaints could be expressed in data protection terms. Perhaps, if the EU’s final Data Protection Regulation retains the severe penalty provisions proposed in the draft version, data protection will move centre-stage in these sorts of cases.

Robin Hopkins

New FoIA Exemption

Posted on | by James Goudie KC

Following the Queen’s Speech, an Intellectual Property Bill has been introduced in the House of Lords.  Clause 19 inserts a new exemption into the FoIA (Section 22A).  The exemption is for continuing programmes of research intended for future publication.  Subsection 1(a) of Clause 19 provides that information is exempt from a Section 1(1)(b) FoIA disclosure requirement if it relates to information obtained in the course of, or derived from, a programme of continuing research that is intended for future publication.  Subsection (1)(b) of the new Clause, however, provides that the information will be exempt only if disclosure would, or would be likely to, prejudice a matter listed in that subsection.  The exemption will not be an absolute exemption. It will be subject to the public interest balance test.  Public authorities will not be required to confirm or deny that they hold Section 22A information if, or to the extent that, compliance would, or would be likely to prejudice, any of the matters mentioned in subsection (1)(b).  The Government does not consider that the new exemption raises any issues of compatibility under ECHR Article 10.

EIR: when is information ‘held’?

Posted on | by Edward Capewell

One of the issues which commonly arises for information law practitioners is the question, which arises under both FOIA and the EIR, of whether a public authority actually holds the information which has been requested. The leading case on section 1(1) FOIA is University of Newcastle v IC & British Union for the Abolition of Vivisection [2011] UKUT 185 (AAC), [2011] 2 Info LR 54 and substantially the same approach has been adopted in, for example, Keiller v IC and University of East Anglia [2012] 1 Info LR 128 and Clyne v IC & London Borough of Lambeth [2012] 2 Info LR 24 in relation to regulation 3(2) EIR. What is required is a common-sense and non-technical approach. That, of course, is easier stated than applied.

The issue arose again in Holland v IC & University of East Anglia (EA/2012/0098). Like Keiller, this case was concerned with the Climatic Research Unit (“CRU”) at UEA, the source of the so-called ‘Climategate’ controversy. Readers will recall that in November 2009 there was an unauthorised disclosure of a large number of emails concerning work undertaken at the CRU. The ensuing controversy led the university to set up the Independent Climate Change E-mail Review (“ICCER”) chaired by Sir Muir Russell, which reported in 2010.

Mr Holland, who had made a submission to the ICCER, requested “copies of all of the information held” by it. A lot of information had been published on the ICCER’s own website, and essentially what remained, the tribunal found, was the Review’s “working papers”. It seems not to have been in issue that they were in the physical possession of Sir Muir Russell or his solicitors and not UEA. The issue was, therefore, whether the information was held ‘on behalf of’ UEA for EIR purposes. The Commissioner thought not, and the tribunal agreed with him.

Directing itself by reference to BUAV as well as a number of other FTT decisions, the Tribunal decided that it needed first to examine the nature of the legal and practical relationship between UEA and the ICCER/Sir Muir Russell. It found that the inquiry could have been conducted internally, but that UEA had decided to externalise it not, as Mr Holland had argued, in order to avoid its obligations under FOIA and the EIR, but “at a time when UEA’s credibility was very much at stake, in order to inspire confidence in the independence of the findings” (para 104). It went on to find that there was nothing in the EIR, nor in the Aarhus Convention, which prevents public bodies from externalising functions or which means that environmental information thereby created is necessarily held by the public body (para 105). Although there was no written document evidencing a contract between Sir Muir and UEA, the Tribunal found that a contract did exist (para 108). It did, however, express considerable surprise at the absence of a written contract and of the fact that “there was no discussion … about the information that would be received or generated by the ICCER” (para 110). Nevertheless, the Tribunal accepted that both parties had proceeded on the assumption that UEA would have no claim to or be able to access the information and that it would be held by the ICCER on its own behalf (para 114).

The Tribunal went on to hold that there was no other sense in which the ICCER was beholden to UEA or in which its independence was compromised. It was not, as Mr Holland had argued, merely a ‘sham’: “we do not find it likely that [UEA] would have compounded its problems so greatly, and risked its credibility so completely, by setting up an inquiry that was independent in name only” (para 116). Neither the involvement of a Professor Boulton on the Review panel (who had previously worked for UEA) nor the decision not to publish the Appellant’s submission in full affected the fundamental independence of the ICCER (paras 117-118). It followed that the information requested was not held ‘on behalf of’ UEA and the appeal therefore failed. Interestingly, the Tribunal did perhaps give some succour to Mr Holland by saying in para 122 “It may be that the information should be held by the UEA and there may be good reason why, barring anything provided in confidence, the information should be passed to the UEA to form part of its historical records. Were that to happen, then in the future, the information may be held by the UEA.” Leaving aside the question-begging first sentence (why, in EIR terms, ‘should’ UEA hold this information?), the second sentence is an important reminder that the answer to the question of whether information is held is one which is liable to change over time and with circumstances.

Edd Capewell

Article 8 and enhanced criminal record certificates

Posted on | by Rachel Kamm

There have been a number of Panopticon posts about the lawfulness of disclosures in enhanced criminal record certificates. The latest decision is that of Mr Justice Stuart-Smith in R (L) v Chief Constable of Cumbria Constabulary [2013] EWHC 869 (Admin).

The principles are now well established. In R (L) v Commissioner of Police of the Metropolis [2010] 1 AC 410 the Supreme Court identified that s.113B (4) of the Police Act 1997 requires that information can only be included in an enhanced criminal record certificate if, in the Chief Officer’s opinion, the information might be relevant and ought to be included in the certificate. Where it is alleged that disclosure would breach an individual’s rights under Article 8 ECHR, the Court must take into account up to date information to reach its own judgment (without deference to the Chief Constable) as to whether or not there has been an interference with the applicant’s right to private life and, if such interference has occurred, whether it is lawful.

In this case, the claimant (“L”) was an experienced secondary school teacher aged in his mid-forties. He challenged the Chief Constable of Cumbria Constabulary’s decisions, communicated by letters dated 15 May and 27 July 2012, not to remove contested information from the “other relevant information” section of the claimant’s enhanced criminal record certificates.

The following is an example of the information disclosed to L’s prospective employers:

 “Cumbria Constabulary hold the following information which we believe to be relevant to the application of L  …. The information relates to an allegation of inappropriate behaviour towards a female pupil of the school where L was employed as a teacher. Cumbria Constabulary believe this information to be relevant to an employer’s risk and suitability assessment when considering L‟s application for the post of supply teacher with vision for education, working with children and vulnerable adults, because the information, which is considered likely to be true, indicates an abuse by L of the position of trust in which he was placed as a teacher.

The information held by police involves an allegation by an 18- year old female that on 07.05.10, whilst in licensed premises, L had inappropriately hugged her and persistently asked her to go home with him, offering her £200 to do so, causing her to feel vulnerable and harassed. The complainant was a pupil at the school where L was employed as a teacher and he had known her since she was 12 or 13 years of age when he was her teacher.

When interviewed by police, L agreed that he had been present that evening but denied all allegations stating that he had not seen or spoken to the complainant. No further police action was taken against L in relation to these allegations as the complainant was 18 years of age and therefore no criminal offences had been committed.

After careful consideration, Cumbria Constabulary considers that this information ought to be disclosed as the alleged incident of inappropriate behaviour occurred in relation to a female pupil of the school where L was a teacher at the time. The information is materially relevant to the post of supply teacher applied for in which L will have regular and unsupervised contact with children and young adults. The risks of similar inappropriate behaviour of a sexual nature by L towards vulnerable young persons must, in this instance, outweigh the prejudicial impact that disclosure may have on L‟s private life and employment prospects as a teacher.”

Mr Justice Stuart-Smith held that the Chief Constable was obliged and right to carry out an assessment of reliability, but that he did not have materials available to him that could justify a determination that some form of communication had taken place between the claimant and the pupil. There was ample material upon which the Chief Constable could have reached the conclusion that the pupil’s evidence may well have been reliable, but the real possibility remained that the allegations were without foundation.

Mr Justice Stuart-Smith went on to find that even if the allegations were true, “the risk disclosed by the one episode of which she complained was not shown to be anything other than slight and was a risk to a very limited class of persons in tightly defined circumstances” (namely, current and former pupils whom L might come across in a pub). The incident alleged was itself relatively minor in the overall scheme of sexually inappropriate behaviour and it was an isolated incident in a long career. The incident had not been properly or fully investigated.

Further, the disclosure was made in circumstances where both the General Teaching Council and the Independent Safeguarding Authority had concluded that there was no case to answer. However, the result of the disclosure “had been as severe for L’s employment prospects as if he had been convicted of a serious offence of sexual misconduct and placed on the Sex Offenders’ Register: it is a killer blow and its effects are likely to be long lasting”.

Mr Justice Stuart-Smith concluded that “any proper balancing exercise comes down in favour of the conclusion that this interference with L’s Article 8 rights is disproportionate and unjustifiable, particularly in a jurisdiction where people are generally to be presumed innocent until proved guilty … the defendant has not shown a pressing need for the disclosure, because of the limited circumstances in which a possible risk of repetition might arise and the relative lack of gravity of the alleged conduct. Nor has the defendant shown that the means used to impair L’s rights are no more than necessary to accomplish a legitimate objective”. The disclosures in the enhanced criminal record certificates had breached his Article 8 ECHR rights.

Rachel Kamm, 11KBW

MPs’ expenses: copies of receipts are subject to FOIA

Posted on | by Panopticon Blog

Following the MPs’ expenses scandal, the then newly-founded Independent Parliamentary Standards Authority (IPSA) decided that it would not routinely publish images of the receipts submitted to IPSA by MPs in support of their expenses claims.  Rather, only text transcribed from the submitted receipts was to be published.

The question that arose in IPSA v Information Commissioner (EA/2012/0242) was whether images of those receipts held by IPSA contained “information” within the meaning of section 1 of FOIA, which was not captured by the transcription process favoured by IPSA. In a decision handed down today, the First-Tier Tribunal held that those images do contain such information, and so dismissed IPSA’s appeal. The receipts in question related to claims made by John Bercow MP, Alan Keen MP and George Osborne MP in 2010, which were requested by Mr Brian Leapman of the Daily Telegraph (whose FOIA requests, together with those of others, had played a vital role in the exposure of the old system of MPs’ expenses). The decision is an unusual and interesting instance of the question of “what is information?” arising for consideration in the FOIA context.

Information is defined by section 84 of FOIA (“‘information’ (subject to sections 51(8) and 75(2)) means information recorded in any form”).  The tribunal concluded that, in this case, this definition included logos, letterheads, “handwriting/manuscript comments”, and “the layout and style/design of the requested documents” – each of which were not disclosed to Mr Leapman as a result of providing a transcription, rather than a copy, of the relevant receipts.  The tribunal rejected IPSA’s submission that those materials were “merely presentational”, and went on to consider further examples of information falling within section 1 of FOIA that could be of forensic value to a person investigating expenses claims by MPs:

“…a signature on an invoice may indicate fraud if it was identical to the claimant’s signature or that of a member of his team; a shoddily presented invoice may call into question the legitimacy of the company said to have issued it, or a letterhead or logo may have changed or be different to the one usually associated with a particular company – again bringing the legitimacy of the invoice into question.

The tribunal noted that IPSA insists on seeing actual receipts for its own purposes, and that the Chief Executive of IPSA had accepted in evidence that “sight of the receipt might be more informative”.

In arriving to the conclusions above, the tribunal rejected an attempt by IPSA to rely on section 11 of FOIA to justify the method by which it chose to disclose information to Mr Leapman. Section 11(4), permits a public authority to use a means of communicating requested information that is “reasonable in the circumstances”; and section 11(1) requires a public authority to give effect to a preference for a particular form of communication to the extent that it is “reasonably practicable”.  IPSA argued that for practical reasons it was not reasonable or reasonably practicable for it to fulfill Mr Leapman’s alleged preference for disclosure by a particular means of communication (see paragraph 14).

The tribunal found, however, that section 11 cannot operate to enable a public authority to limit the information which it is obliged to disclose.  Rather, the principle question for the tribunal was whether the disclosure by IPSA to Mr Leapman in fact conveyed all of the non-exempt information contained within the receipts.  As the answer to that question was “no”, it was not necessary for the tribunal to go on to consider the applicability of section 11.

Robin Hopkins appeared for the Information Commissioner; Philip Coppel QC appeared for IPSA.

Tom Ogg