WordPress + Bootstrap

… and then two come along at once.

On 21st March 2013 the House of Commons Justice Committee published a report about the ICO (see our earlier post here), recommending, among other matters, that the ICO should be given the power to carry out compulsory data protection audits of NHS Trusts and local authorities. With uncanny speed, on 25th March 2013 the Ministry of Justice (MOJ) published a consultation document on the proposed extension of the ICO’s compulsory audit powers to cover NHS bodies. Despite the coincidence of timing, the MOJ’s proposal is not in fact a response to the Justice Committee’s report, but is prompted by a recommendation from the ICO itself.

The MOJ’s consultation document asserts that significant data protection compliance problems exist within the NHS. Over the last six calendar years (2007-2012) the ICO has received over 5,000 data protection complaints from individuals about the health sector: the only sectors that have generated more complaints over that period are lenders, local government, and general business. During the same period, the NHS self-reported over 500 data security breaches to the ICO. The MOJ document gives six examples of monetary penalty notices against NHS bodies, for amounts ranging between £60,000 and £325,000.

The ICO can already carry out consensual audits of NHS bodies; the MOJ document refers to a number of issues that have been highlighted as a result of these, including the use of unencrypted mobile media holding sensitive personal data. Most NHS consensual audits have come about as a result of referrals from the ICO’s Enforcement team, but of the NHS organisations referred for audit by Enforcement only 53% have agreed. This compares unfavourably to the 71% level of agreement for the public sector as a whole.

A compulsory audit can be initiated by the ICO serving an “assessment notice” under DPA section 41A. Where this power exists, data controllers can still agree to consensual audits; and according to the MOJ report, no assessment notices have yet been served, because 100% of data controllers covered by the existing scope of section 41A have agreed to an audit when asked to do so by the ICO. In other words, the mere existence of the power of compulsory audit has been enough to secure compliance, meaning that so far there has been no need for the ICO to use the power.

The MOJ’s proposal to extend the power of compulsory audit does not require primary legislation: it would be given effect by an order made by the Secretary of State under section 41A(2)(b) of the Data Protection Act 1998. All public authority data controllers in the NHS would be covered, throughout the UK. In other words, the proposal would cover all NHS bodies listed in Part III of Schedule 1 to the Freedom of Information Act 2000 (likely to be amended following NHS reforms in England), and all Health Service data controllers in Scotland listed in Part 4 of Schedule 1 to the Freedom of Information (Scotland) Act 2002. Note that the proposals will not cover private or third sector health bodies providing services to the NHS, though the MOJ document refers to the possibility of a further order to include these bodies at a later date.

The consultation will remain open until 17th May 2013.

Timothy Pitt-Payne QC

 

On 21^st March 2013 the House of Commons Justice Committee published a report (HC 962) on the functions, powers and resources of the Information Commissioner.  It is essential reading for anyone interested in understanding the current role and future prospects of the Information Commissioner’s Office (ICO).

 

The Committee monitors the Ministry of Justice’s associated public bodies, and as part of this remit it maintains a close interest in the ICO.  On 5th February 2013 the Committee held an oral evidence session with the Commissioner and his two deputies; it also received written evidence and supplementary information from the ICO.  The report reflects this oral and written evidence.

 

The report begins by looking at the finances of the ICO in an era of public sector austerity.   The ICO performs two separate areas of work, differently funded.  Freedom of information (FOI) work is paid for by grant-in-aid from the Ministry of Justice, while data protection work is financed by the notification fee payable by data controllers under the Data Protection Act 1998 (DPA).  The Commissioner is restricted in terms of “virement” – i.e. in general he cannot use DPA resources to fund FOI work, or vice versa.

 

As one would expect, freedom of information funding has been affected by the general pressures on public expenditure:  the income for this work has been cut from £5.5 million in 2011-12 to £4.25 million in 2012-13, with the ICO planning for further cuts in 2013-14.  Despite these cuts, the ICO has increased the amount of FOI casework completed, and reduced its backlog in this area.  The Committee is impressed by the ICO’s success in this regard, while warning that further budget cuts would risk adversely affecting performance.  The Committee suggests that the rules about virement should be relaxed.

 

The suggestion that DPA income might be used to subsidise FOI work seems a sensible one.  There is considerable overlap – FOI cases about personal data are a very important source of DPA case law.  However, it is disappointing that the Committee did not tackle more directly the question of whether FOI budget cuts make sense.  An effective FOI regime is a weapon against waste and fraud, and can help keep public expenditure under control.  The sums involved are modest, in the overall expenditure context – even the 2011-12 figure represents less than 10p per head of UK population.  It is, at the very least, worth considering whether cutting FOI funding is a false economy.

 

At first sight the funding position for DPA work seems significantly better.  The notification fee generates an annual income of some £15 million, over three times the FOI grant-in-aid.  The problem is that the EU’s proposed Data Protection Regulation would abolish the notification fee, while at the same time imposing a wide range of additional functions on the ICO.  The Committee suggests that the combined effect of these proposals would leave the ICO with a DPA funding shortfall of over £42 million.  The position is made yet more difficult by the recommendations in the Leveson Report as to the future role of the ICO in relation to the press, which are a further source of potential demands on the ICO’s budget.  The Committee suggests that the Government needs to find a way of retaining a fee-based self-financing system for ICO work, despite the current EU proposals.

 

Turning to the structure of the ICO, the Committee discusses the suggestion in the Leveson report that there should be an Information Commission led by a Board of Commissioners, rather than a single Information Commissioner.  The Committee disagrees:  it prefers the current model, with a single Commissioner taking personal accountability for the ICO’s work.  The Committee also addresses the independence of the ICO.  It recommends that the ICO should become directly responsible to and funded by Parliament, so as to guarantee its independence from the Executive.  However, the Committee does not suggest that the ICO’s independence has in fact been compromised in the past by its institutional relationship with the Ministry of Justice.

 

As to the ICO’s statutory powers under the DPA, the Committee makes recommendations in two areas.

 

In relation to the criminal offence under DPA section 55, the Committee suggests that this should be made recordable – that is, convictions should be recorded on the Police National Computer and hence included in any future checks relating to the individual’s criminal record.  The Committee also calls on the Government to bring into force section 77 of the Criminal Justice and Immigration Act 2008, so as to allow custodial sentences to be imposed for breach of DPA section 55.  The Committee sets out  – at §43 of its report – a list of other offences carrying custodial penalties for which those who breach DPA section 55 might be convicted:  for instance, there is the offence of unauthorised access to computer material, under the Computer Misuse Act 1990.  The Committee does not, however, regard the existence of these other offences as an adequate substitute for custodial penalties under DPA section 55.

 

In relation to the Commissioner’s audit powers, the Committee considers that as a general rule public sector organisations should accept an offer of a free DPA audit from the Commissioner.  It recommends that the Commissioner’s power of compulsory audit under DPA section 41A should be extended to NHS Trusts and local authorities.

Timothy Pitt-Payne QC

In Catt v ACPO and others; T v Commissioner of Police of the Metropolis and another [2013] EWCA Civ 192, the Court of Appeal considered two appeals regarding the powers of the police to collect and retain personal information about members of the public.  Both cases turned on the application of Article 8 of the Convention; in both, the Court held that there had been an interference with the Article 8(1) right to respect for private life, and that the interference was not justified under Article 8(2).

 

The retention of personal information by the police has given rise to extensive litigation in recent years:  see e.g. Chief Constable of Humberside and others v Information Commissioner [2009] EWCA Civ 1079 (retention of conviction information on police national computer); and S and Marper v UK [2008] ECHR 1581 (operation of national DNA dabatase).  Although the Humberside case concerned the Data Protection Act 1998, since it arose out of enforcement action taken by the Information Commissioner under that Act, most of the cases have turned on the application of Article 8.  A recurring issue, and one on which the Catt case is especially important, is whether and in what circumstances the recording and retention of information about events taking place in public will constitute an interference with the Article 8 right to respect for private life.

 

The first appeal concerned Mr. John Catt, described in the judgment of the Court as someone who “over a long lifetime has been an ardent and frequent protestor against what he sees as a variety of forms of injustice”.  He had attended public demonstrations organised by “Smash EDO”, a group campaigning against a weapons manufacturer operating on the outskirts of Brighton.  Some of the core supporters of Smash EDO were prone to violence and criminal behaviour, but Mr. Catt had not been convicted of criminal conduct of any kind in connection with any demonstration that he had attended.  Personal information about Mr. Catt was held on the National Domestic Extremism Database, mostly consisting of reports by police officers attending Smash EDO demonstrations.  Mr. Catt had not been the specific target of observations, but was referred to incidentally in descriptions of what the police at the scene had observed.  It appeared that this information was to be retained indefinitely.

 

In judicial review proceedings, Mr. Catt contended that the continued retention of this information about him constituted an unjustified interference with his Article 8 rights.  His claim was rejected by the Divisional Court.

 

The second appellant, referred to as Ms T, was served with a police warning letter following an allegation that she had directed a single homophobic insult against the friend of a neighbour.  She denied the allegation; in judicial review proceedings based on an alleged infringement of her Article 8 rights, she sought an order that the police should destroy their copy of the warning letter and remove from their records all references to the decision to serve it.  Again, her claim failed at first instance.  Before the appeal hearing the police reviewed the information and decided to expunge it, but the Court of Appeal nevertheless heard and determined the appeal because of the importance of the issues raised.

 

The judgment in Catt begins with a survey of recent developments in relation to Article 8. This part of the judgment is likely to become an important reference point in any future cases about the retention and use of police information.

 

As to the circumstances in which there would be an interference with the Article 8(1) right, the Court began by referring to the observation of Lord Nicholls in Campbell v MGN Ltd [2004] UKHL 22, that the touchstone of private life is whether in respect of the disclosed facts the person in question had a reasonable expectation of privacy.  However, recent cases showed that the position was more complex.  Even information of a public nature could become private over the course of time, as memories faded.  Moreover, the storage and use of personal information gathered from open sources could nevertheless involve an interference with private life.

 

In relation to justification under Article 8(2), the Court reiterated the three well-known requirements that the conduct in question must be in accordance with the law; carried out in pursuit of a legitimate aim; and proportionate to the aim sought to be achieved.  The issue of “legitimate aim” did not cause any difficulty in the present cases: the police were acting to prevent disorder and crime, and protect the rights and freedoms of others.  In cases about the collection and retention of personal information about private individuals, the issues of legality and proportionality were closely related.  As to proportionality, the overriding principle was that there should be a fair balance between the personal interest of the claimant in maintaining respect for his public life, and the pursuit of a legitimate aim in the interests of the public at large.  The Court needed to pay careful attention to the nature of the information in question, the circumstances in which it could be obtained, the ways in which it could be processed and by whom, the period of retention, and the arrangements for its destruction.

 

Applying these principles to Mr. Catt’s case, the first issue was whether there was any interference with his right under Article 8(1).  The Divisional Court had held that there was not:  none of those attending the Smash EDO demonstrations can have had a reasonable expectation of privacy, since it was of the essence of such activity that it was of a public nature.  The Court of Appeal took a different approach, focusing on the collection and retention of data about Mr. Catt rather than on the public nature of his activities at the demonstrations themselves.  The processing and retention of even publicly available information could constitute a interference with Article 8 rights, especially when the information was subjected to systematic processing and entered on a database that was searchable by reference to specific individuals.

 

Turning to the issue of justification under Article 8(2), the Court focused on the issue of proportionality.  It accepted that the police needed to obtain a better understanding of how Smash EDO was organised, so as to anticipate its future conduct and tactics.  However, the Court did not consider that the information held about Mr. Catt was of sufficient value to justify its retention.  It commented that the police appeared to be recording the names of any persons they could identify at Smash EDO demonstrations, regardless of the nature of their participation.  The retention of Mr. Catt’s information on the database was therefore an unjustified interference with his Article 8 rights, and hence was unlawful.

 

As to the second case, that of Ms T, the Court held that the action of the police in issuing the warning letter did not in itself amount to an interference with her Article 8(1) rights, but that the retention in police records of a copy of the letter, and information describing the circumstances in which it had been issued, did constitute an interference. While the retention of this information for a short period was justified, it was hard to see how retention for more than a year or so could be of any value. If the information had not been destroyed before the appeal hearing, then its continued retention woud have been disproportionate.

 

The message from both cases is that, even where events take place in public, the recording and retention of information about them can interfere with the right to respect for private life.  The Court is especially concerned with the sitation where information is retained indefinitely on databases where it is searchable by reference to individual names.  In relation to justification, the cases suggest that the Court will scrutinise closely both the precise nature of the information retained, and its value for policing purposes.  The analysis in Catt will be an essential starting-point in any future consideration of how Article 8 applies to police use of information.