Data protection: trends, possibilities and FOI disclosures

Posted on | by Robin Hopkins

At 11KBW’s information law seminar in May, one of the discussion topics was ‘the future of data protection’. Here are some further thoughts on some interesting trends and developments.

Progress at the EU level

A major issue on this front is of course progress on the draft EU Data Protection Regulation – on which see this blog post from the ICO’s David Smith for an overview of the issues currently attracting the most debate. While that negotiation process runs its course, the Article 29 Working Party continues to provide influential guidance for users and regulators on some of the thorniest data protection issues. Its most recent opinion addresses purpose limitation, i.e. the circumstances under which data obtained for one purpose can be put to another. A summary of its views is available here.

Subject access requests

Turning to domestic DPA litigation in the UK, practitioners should watch out for a number of other developments (actual or potential) over the coming months. On the subject access request front, for example, data controllers have tended to take comfort from two themes in recent judgments (such as Elliott and Abadir, both reported on Panopticon). In short, the courts in those cases have agreed that (i) data controllers need only carry out reasonable and proportionate searches, and (ii) that section 7(9) claims being pursued for the collateral purpose of aiding other substantive litigation will be an abuse of process.

Data controllers should, however, note that neither of those points is free from doubt: there are plenty who doubt the legal soundness of the proportionality point, and the abuse of process point has arisen for section 7(9) claims to the court – it should not, in other words, be relied upon too readily to refuse requests themselves.

Damages

Damages under section 13 of the DPA is another area of potentially important change. The Halliday v Creation Consumer Finance case (briefly reported by Panopticon) has been given further discussion in the Criminal Law & Justice Weekly here. Based on that information, perhaps the most interesting point is this: defendants have rightly taken comfort from the requirement under section 13 that compensation for distress can be awarded only where damage has also been suffered. In Halliday, however, nominal damages (of £1) were awarded, thereby apparently fulfilling the ‘damage’ requirement and opening the door for a ‘distress’ award (though note that Panopticon has not yet seen a full judgment from the Court of Appeal in this case, so do not take this as a definitive account). If that approach becomes standard practice, claimants may be in much stronger positions for seeking damages.

A further potential development on the damages front arises out of monetary penalty notices: data controllers who are subject to hefty penalties by the ICO may in some cases also find themselves facing section 13 claims from the affected data subjects themselves, presenting a worrying prospect of paying out twice for the same mistake.

Disclosure of personal data in the FOIA context

In general terms, requesters struggle to obtain the personal data of others through FOIA requests. A couple of very recent decisions have, however, gone the other way.

In White v IC and Carmarthenshire County Council (EA/2012/0238), the First-Tier Tribunal allowed the requester’s appeal and ordered disclosure of a list of licensed dog-breeders in the council’s area. In particular, it concluded that (paragraphs 21-23):

“…the Tribunal believes – on the facts of this case – that an important factor for any assessment in relation to the “fairness” of the disclosure of the personal data is best discovered from the context in which the personal data was provided to the Council in the first place.

22. The context, here, is to secure a commercial licence required by law to breed dogs. That license is necessary for the local authority to know who the licensed dog breeders in that area are, and so that the law can be enforced and welfare checks can be conducted as and when necessary in relation to the welfare of the dogs being bred commercially.

23. Licensing – in the ordinary course of things – is a public regulatory process. Indeed it was a public process in Carmarthenshire, in relation to the information that is at the core of this appeal, until the Council changed its policy in 2008.”

The Tribunal was unimpressed by the suggestive language of a survey of dog breeders which the council had carried out to support its case for non-disclosure. It also noted that a neighbouring council had disclosed such information.

The First-Tier Tribunal issued its decision in Dicker v IC (EA/2012/0250) today. It allowed the requester’s appeal and ordered disclosure of the salary of the chief executive of the NHS Surrey PCT over specified time periods, including total remuneration, expenses allowance, pension contributions and benefit details. As to legitimate interests in disclosure, the Tribunal said that (paragraph 13):

“In this case the arrangements (including secondment and recharge from another public authority at one stage) mean that the arrangements are not as transparent as might be wished and it is not entirely clear from the information published (as opposed to the assurances given) that the national pay guidance has been complied with. Mr Dicker asserted that the CEO was paid in excess of the national framework. The Tribunal was satisfied that there was a legitimate public interest in demonstrating that the national framework had been complied with and that the published information did not properly establish this”.

On the questions of distress and privacy infringements, the Tribunal took this view (paragraph 14):

“The CEO is a prominent public servant discharging heavy responsibilities who must expect to be scrutinised. Individuals in such circumstances are rational, efficient, hard-working and robust. They are fully entitled to a high degree of respect for their private lives. However the protection of personal information about their families and their health is a very different matter from having in the public domain information about income… The Tribunal simply cannot accept that anyone in such a role would feel the slightest distress, or consider that there has been any intrusion or that they would be prejudiced in any way by such information. From the perspective of the individual such information is essentially trivial; indeed, in other European societies, such information would be routinely available.”

If this approach were to become standard, the implications for public authorities would be significant.

Further, there are two very important personal data FOIA cases to look out for in the coming months. Following its decision in the Edem case late in 2012, the Upper Tribunal’s next consideration of personal data in the FOIA context is the appeal in the Morley v IC & Surrey Heath Borough Council (EA/2011/0173) case, in which the Tribunal – in a majority decision in which Facebook disclosures played a significant part – ordered the disclosure of names of certain youth councillors.

More importantly, the Supreme Court will hear an appeal from the Scottish Court of Session in July about a FOISA request for the number of individuals employed by the Council on specific points in the pay structure. The council relied on the personal data exemption (contending that individuals could be identified from the requested information), but the Scottish Information Commissioner ordered disclosure and succeeded before Scotland’s highest court. The Supreme Court will consider issues including the approach to ‘legitimate interests’ under condition 6(1) of schedule 2 to the DPA (the condition most often relied upon in support of disclosing personal data to the public). The case is likely to have far-reaching implications. For more detail, see Alistair Sloan’s blog.

Panopticon will, as ever, keep its eye on these and other related developments.

Robin Hopkins

11KBW Information Law Conference on 18th April 2013 – Richard Thomas CBE to give keynote address

Posted on | by Timothy Pitt-Payne KC

We are delighed that Richard Thomas CBE, the former Information Commissioner, will be giving the keynote address at our conference on 18th April.  His title is, “Risk, Accountability and Binding Corporate Codes: New Thinking for the draft Regulation.”

There is a widely-held view that the proposed EU Regulation on data protection is over-burdensome, and focused more on bureaucracy than protection. A more creative and flexible approach is needed, with better-defined outcomes, encouraging businesses which present the greatest risks to adopt comprehensive privacy programmes. Richard Thomas will outline how such an approach could be put at the heart of the Regulation, drawing upon a Risk Framework, the Accountability Principle, and Binding Corporate Codes.

We are also delighted that Richard will be able to join us for the expert panel discussion which will take place immediately after his keynote address.

For full details of the event, including booking information, see our earlier post here.

 

You wait ages for an official report about the ICO’s data protection audit powers

Posted on | by Timothy Pitt-Payne KC

… and then two come along at once.

On 21st March 2013 the House of Commons Justice Committee published a report about the ICO (see our earlier post here), recommending, among other matters, that the ICO should be given the power to carry out compulsory data protection audits of NHS Trusts and local authorities. With uncanny speed, on 25th March 2013 the Ministry of Justice (MOJ) published a consultation document on the proposed extension of the ICO’s compulsory audit powers to cover NHS bodies. Despite the coincidence of timing, the MOJ’s proposal is not in fact a response to the Justice Committee’s report, but is prompted by a recommendation from the ICO itself.

The MOJ’s consultation document asserts that significant data protection compliance problems exist within the NHS. Over the last six calendar years (2007-2012) the ICO has received over 5,000 data protection complaints from individuals about the health sector: the only sectors that have generated more complaints over that period are lenders, local government, and general business. During the same period, the NHS self-reported over 500 data security breaches to the ICO. The MOJ document gives six examples of monetary penalty notices against NHS bodies, for amounts ranging between £60,000 and £325,000.

The ICO can already carry out consensual audits of NHS bodies; the MOJ document refers to a number of issues that have been highlighted as a result of these, including the use of unencrypted mobile media holding sensitive personal data. Most NHS consensual audits have come about as a result of referrals from the ICO’s Enforcement team, but of the NHS organisations referred for audit by Enforcement only 53% have agreed. This compares unfavourably to the 71% level of agreement for the public sector as a whole.

A compulsory audit can be initiated by the ICO serving an “assessment notice” under DPA section 41A. Where this power exists, data controllers can still agree to consensual audits; and according to the MOJ report, no assessment notices have yet been served, because 100% of data controllers covered by the existing scope of section 41A have agreed to an audit when asked to do so by the ICO. In other words, the mere existence of the power of compulsory audit has been enough to secure compliance, meaning that so far there has been no need for the ICO to use the power.

The MOJ’s proposal to extend the power of compulsory audit does not require primary legislation: it would be given effect by an order made by the Secretary of State under section 41A(2)(b) of the Data Protection Act 1998. All public authority data controllers in the NHS would be covered, throughout the UK. In other words, the proposal would cover all NHS bodies listed in Part III of Schedule 1 to the Freedom of Information Act 2000 (likely to be amended following NHS reforms in England), and all Health Service data controllers in Scotland listed in Part 4 of Schedule 1 to the Freedom of Information (Scotland) Act 2002. Note that the proposals will not cover private or third sector health bodies providing services to the NHS, though the MOJ document refers to the possibility of a further order to include these bodies at a later date.

The consultation will remain open until 17th May 2013.

Timothy Pitt-Payne QC

 

11KBW Information Law Conference, 18th April 2013

Posted on | by Panopticon Blog

11KBW is a leading set of barristers in Information Law with a wide range of expertise across all aspects of this complex and rapidly evolving area.

Chair
Timothy Pitt-Payne QC

Venue
The Royal College of Surgeons of England, 35-43 Lincoln Inn Fields, London WC2A 3PE

Topics include
The Crown Jewels? – Safe space, policy and the veto
FOI use and abuse – Costs, vexatious and repeated requests, and search obligations
Recent cases in FOIA/EIR
Going to penalties – MPNs, handling and reporting data breaches
Privacy, safeguarding and surveillance – (including T v Greater Manchester, and Southampton v ICO)
Social media and the law

We are delighted to have Richard Thomas CBE, the former Information Commissioner for the UK, giving a keynote address at the conference.

An expert panel will be discussing ” The future of data protection”.

Full Programme click here.

CPD
The conference will be credited 4.5 hours CPD – SRA/BSB

Cost
£99 + VAT (20%) = £118.80 to attend half day plus lunch
£150 + VAT (20%) = £180.00 to attend full day

How to Book
To book your place on this conference please email RSVP@11kbw.com with the delegate name, firm, email address and any purchase order details you may require. You will be then sent a confirmation email of your place and invoiced. We do not have the facilities to accept payments by credit or debit cards.

The Justice Committee and the Information Commissioner

Posted on | by Timothy Pitt-Payne KC

On 21st March 2013 the House of Commons Justice Committee published a report (HC 962) on the functions, powers and resources of the Information Commissioner.  It is essential reading for anyone interested in understanding the current role and future prospects of the Information Commissioner’s Office (ICO).

 

The Committee monitors the Ministry of Justice’s associated public bodies, and as part of this remit it maintains a close interest in the ICO.  On 5th February 2013 the Committee held an oral evidence session with the Commissioner and his two deputies; it also received written evidence and supplementary information from the ICO.  The report reflects this oral and written evidence.

 

The report begins by looking at the finances of the ICO in an era of public sector austerity.   The ICO performs two separate areas of work, differently funded.  Freedom of information (FOI) work is paid for by grant-in-aid from the Ministry of Justice, while data protection work is financed by the notification fee payable by data controllers under the Data Protection Act 1998 (DPA).  The Commissioner is restricted in terms of “virement” – i.e. in general he cannot use DPA resources to fund FOI work, or vice versa.

 

As one would expect, freedom of information funding has been affected by the general pressures on public expenditure:  the income for this work has been cut from £5.5 million in 2011-12 to £4.25 million in 2012-13, with the ICO planning for further cuts in 2013-14.  Despite these cuts, the ICO has increased the amount of FOI casework completed, and reduced its backlog in this area.  The Committee is impressed by the ICO’s success in this regard, while warning that further budget cuts would risk adversely affecting performance.  The Committee suggests that the rules about virement should be relaxed.

 

The suggestion that DPA income might be used to subsidise FOI work seems a sensible one.  There is considerable overlap – FOI cases about personal data are a very important source of DPA case law.  However, it is disappointing that the Committee did not tackle more directly the question of whether FOI budget cuts make sense.  An effective FOI regime is a weapon against waste and fraud, and can help keep public expenditure under control.  The sums involved are modest, in the overall expenditure context – even the 2011-12 figure represents less than 10p per head of UK population.  It is, at the very least, worth considering whether cutting FOI funding is a false economy.

 

At first sight the funding position for DPA work seems significantly better.  The notification fee generates an annual income of some £15 million, over three times the FOI grant-in-aid.  The problem is that the EU’s proposed Data Protection Regulation would abolish the notification fee, while at the same time imposing a wide range of additional functions on the ICO.  The Committee suggests that the combined effect of these proposals would leave the ICO with a DPA funding shortfall of over £42 million.  The position is made yet more difficult by the recommendations in the Leveson Report as to the future role of the ICO in relation to the press, which are a further source of potential demands on the ICO’s budget.  The Committee suggests that the Government needs to find a way of retaining a fee-based self-financing system for ICO work, despite the current EU proposals.

 

Turning to the structure of the ICO, the Committee discusses the suggestion in the Leveson report that there should be an Information Commission led by a Board of Commissioners, rather than a single Information Commissioner.  The Committee disagrees:  it prefers the current model, with a single Commissioner taking personal accountability for the ICO’s work.  The Committee also addresses the independence of the ICO.  It recommends that the ICO should become directly responsible to and funded by Parliament, so as to guarantee its independence from the Executive.  However, the Committee does not suggest that the ICO’s independence has in fact been compromised in the past by its institutional relationship with the Ministry of Justice.

 

As to the ICO’s statutory powers under the DPA, the Committee makes recommendations in two areas.

 

In relation to the criminal offence under DPA section 55, the Committee suggests that this should be made recordable – that is, convictions should be recorded on the Police National Computer and hence included in any future checks relating to the individual’s criminal record.  The Committee also calls on the Government to bring into force section 77 of the Criminal Justice and Immigration Act 2008, so as to allow custodial sentences to be imposed for breach of DPA section 55.  The Committee sets out  – at §43 of its report – a list of other offences carrying custodial penalties for which those who breach DPA section 55 might be convicted:  for instance, there is the offence of unauthorised access to computer material, under the Computer Misuse Act 1990.  The Committee does not, however, regard the existence of these other offences as an adequate substitute for custodial penalties under DPA section 55.

 

In relation to the Commissioner’s audit powers, the Committee considers that as a general rule public sector organisations should accept an offer of a free DPA audit from the Commissioner.  It recommends that the Commissioner’s power of compulsory audit under DPA section 41A should be extended to NHS Trusts and local authorities.

Timothy Pitt-Payne QC

Charges under Reg 8 EIR: a Power Cut for Public Authorities

Posted on | by Christopher Knight

In Kirklees Council v IC & Pali Ltd [2011] UKUT 104 (AAC) the Upper Tribunal held, in the context of property search information, that reg 8(2) EIR precluded an authority from charging for allowing applicants to inspect information in situ and that a charge was only permissible if copy documents were provided to the applicant or the information was accessed other than by means of in situ inspection. The First-tier Tribunal has revisited the application of the charging rule in reg 8 EIR, again in the context of property search information, in Leeds City Council v IC & APPS Claimants (EA/2012/0020-21) (judgment of 22 March 2013).

The requestors had requested all the information the Council held which would enable them to complete and answer the questions in the relevant property search form issued by the Law Society (the CON29R form). Some of this information was made available by enabling free public inspection, but not all of it. The Council charged, under reg 8(1), the requestors £22.50 for the fulfillment of their request. This was the same sum that the Council charged for completion of the CON29R form (although the request had been for the raw data and not for the Council to complete the form itself) and the costs were calculated on the basis of staff time etc, rather than solely on the costs of disbursements (such as photocopying). The primary question for the FTT was whether the non-disbursement costs could properly be the subject of a charge under reg 8 EIR.

The FTT held that they could not. There was no authority directly on the point – Kirklees not having had to decide this issue – and the FTT had primarily to decide the issue by reference to the principles underlying the Aarhus Convention, the Directive and the EIR. It considered that the Implementation Guidance to the Convention to be of assistance because it referred only charges within the disbursement category: at [52]-[53]. As to the Directive, the FTT found the judgment of the ECJ in Case C-217/97 Commission v Germany [1999] ECR I-5087 to be helpful, finding that the meaning of the judgment was clear: “The costs that can be imposed relate to the act of supplying information in order to comply with a request, not to the act of identifying or retrieving or collating the relevant material in the first place”: at [76]. The public authority is not, following Kirklees, entitled to charge for its evaluative and collation work so that it benefits from a failure to put in place proper systems to permit EIR requests to be dealt with by free public inspection: at [78].

Unsurprisingly, given the purpose of and recitals to the Directive, the FTT accepted that any approach to the interpretation of charges must be narrow to be consistent with the aim of increasing public access to environmental information. Any interpretation which permitted charges to include more than disbursement costs would have “significant adverse consequences” to that access. A public authority may not charge “for the cost of administrative tasks or administrative acts which may include, but are not necessarily limited to, the spent by staff in locating, retrieving or redacting the information requested”: at [96]-[99].

The FTT’s conclusion on that issue resolved the appeal against the Council, but it went on to indicate its view as to the reasonableness of the charge imposed by the Council in any event. It considered that £22.50 was not a reasonable charge within the meaning of reg 8(3) EIR. In particular, the Council had automatically completed the CON29R form itself and charged the standard rate rather than answering the specific request for the raw data, as well as providing data at a charge which was already available for free. The charge was calculated by reference to matters which should not have been taken into account: “the nature of the information, the motives and assumed means of the applicants, the use to which the information would be put, and the fact that no objections had been received to the CON29R fee”: at [102](ii). Various of the other factors the FTT considered at [102] may be of assistance in other disputes over the reasonableness of the charge, although if the charge remains limited to disbursements such challenges may be relatively rare. The Council was also criticised for a failure to comply with reg 8(8) in that it had not published a schedule of charges, or the basis for their calculation, which could be scrutinised for fairness and reasonableness and as a result lost the entitlement to levy a charge under reg 8(1): at [118]-[119].

The case provides some helpful clarity to an area of some practical importance to public authorities, and is of considerable utility to those requesting environmental information. It remains to be seen whether it triggers a rash of complaints to the Commissioner about the reasonableness of the copying and postage charges levied under reg 8(1) (although they must, of course, be published in advance under reg 8(8)), but there is no doubt that the judgment in Leeds should prompt all public authorities to examine their information systems and charging structures to ensure that they are genuinely restricting themselves to charging for disbursements.

Anya Proops appeared for the Information Commissioner.

Christopher Knight