Tag: Data Protection Act 1998

Campaigning journalism is still journalism: Global Witness and s.32 DPA

Posted on | by Peter Lockley

In an important development in the on-going saga of Steinmetz and others v Global Witness, the ICO has decided that the campaigning NGO is able to rely on the ‘journalism’ exemption under s.32 of the Data Protection Act 1998 (DPA).

The decision has major implications for journalists working both within and outside the mainstream media, not least because it makes clear that those engaged in campaigning journalism can potentially pray in aid the s. 32 exemption. Importantly, it also confirms that the Article 10 right to freedom of expression remains a significant right within the data protection field, notwithstanding recent developments, including Leveson and Google Spain, which have tended to place privacy rights centre-stage (Panopticons passim, maybe even ad nauseam).

Loyal readers will be familiar with the background to the Global Witness case, for which see original post by Jason Coppel QC.

In brief: Global Witness is an NGO which reports and campaigns on natural resource related corruption around the world. Global Witness is one of a number of organisations which has been reporting on allegations that a particular company, BSG Resources Ltd (“BSGR”), secured a major mining concession in Guinea through corrupt means. A number of individuals who are all in some way connected with BSGR (including Benny Steinmetz, reported to be its founder) brought claims against Global Witness under the DPA. The claims included a claim under s. 7 (failure to respond to subject access requests); s. 10 (obligation to cease processing in response to a damage and distress notification); s. 13 (claim for compensation for breach of the data protection principles) and s. 14 (claim for rectification of inaccurate data). Significantly, Mr Steinmetz alleged, amongst other things, that because he was personally so closely connected to BSGR, any information about BSGR amounted to his own personal data. If successful, the claims would have the effect of preventing Global Witness from investigating or publishing further reports on the Guinea corruption controversy.

Global Witness’s primary line of defence in the High Court proceedings was that all of the claims were misconceived because it was protected by the ‘journalism’ exemption provided for by s. 32 of the DPA. After a procedural spat in March (Panopticon report here), Global Witness’s application for a stay of the claims under s. 32(4) DPA was allowed by the High Court. The matter was then passed to the ICO for a possible determination under s.45 DPA. (In summary, such a determination will be made if the ICO concludes, against the data controller, either: (a) that the data controller is not processing the personal data only for the purposes of journalism or (b) it is not processing the data with a view to future publication of journalistic material).

In fact, the ICO declined to make a determination under s. 45. Moreover, he decided that, with respect to the subject access requests made by the claimants, Global Witness had been entitled to rely on the exemption afforded under s. 32. With respect to the latter conclusion, the ICO held that there were four questions which fell to be considered:

(1) whether the personal data is processed only for journalism, art or literature (s.32(1))

When dealing with this question, the ICO referred to his recent guidance Data Protection and journalism: a guide for the media, in which he accepted that non-media organisations could rely on the s.32 exemption, provided that the specific data in question were processed solely with a view to publishing information, opinions or ideas for general public consumption (p.30). He went on to conclude that this requirement could be met even where the publication is part of a wider campaign, provided that the data is not also used directly for the organisation’s other purposes (e.g. research or selling services). The ICO was satisfied that this condition was met for the data in question.

(2) whether that processing is taking place with a view to publication of some material (s.32(1)(a))

It is apparent from the decision letter that Global Witness was able to point to articles it had already published on the Simandou controversy, and since the controversy was on-going, to show it intended to publish more such articles. The ICO was satisfied that, in the circumstances, this second question should be answered in the affirmative.

(3) whether the data controller has a reasonable belief that publication is in the public interest (s.32(1)(b))

The ICO emphasised that the question he had to ask himself was not whether, judged objectively, the publication was in the public interest, but rather whether Global Witness reasonably believed publication was in the public interest. In the circumstances of this case – small NGO shines a spotlight on activities of large multinational in one of the world’s poorest countries amid allegations of serious corruption – he readily accepted that Global Witness held such a belief, particularly as the data related to the data subjects’ professional activities, for which they in any event had a lower expectation of privacy than in relation to their private lives.

(4) whether the data controller has a reasonable belief that compliance is incompatible with journalism. (s.32(1)(c))

Again, the focus here was on Global Witness’ reasonable beliefs. The ICO accepted that Global Witness had reasonable concerns that complying with the subject access requests which had been made by the claimants would prejudice its journalistic activity in two ways:, first, by giving the data subjects advance warning of the nature and direction of Global Witness’ investigations, which could be used to thwarting effect and, second, by creating an environment in which the organisation’s sources might lose confidence in Global Witness’ ability to protect their identities.

The decision will no doubt substantially reassure campaigning and investigative journalists everywhere. Unsurprisingly, it has been widely reported in the media (see e.g. Guardian article, Times article and FT article here). Notably, the FT reports that the claimants are asserting that they intend to challenge the decision. We will have to wait until the New Year to discover whether these assertions translate into action and, if they do translate into action, what form that action will take.

Anya Proops of 11KBW acts for Global Witness.

Peter Lockley

(Scottish) Data protection litigation – South Lanarkshire and more

Posted on | by Robin Hopkins

I have observed (Panopticon passim) that the Data Protection Act 1998 features surprisingly sparingly in litigation. That appears to be somewhat less true of Scotland: for instance, Common Services Agency [2011] 1 Info LR 184, the leading case on anonymisation and barnardisation, came before the House of Lords from Scottish litigation. Here are two more recent examples, one from today, the other from last month.

South Lanarkshire

The Supreme Court has today given judgment in an appeal from the Inner House of the Scottish Court of Session about a FOI(S)A request for the number of individuals employed by South Lanarkshire Council on specific points in the pay structure, for the purposes of analysing compliance with Equal Pay legislation. The Council relied on the personal data exemption (contending that individuals could be identified from the requested information), but the Scottish Information Commissioner ordered disclosure. The Council’s appeal was dismissed by the Court of Session ([2012] CSIH 30) and, today, by the Supreme Court (South Lanarkshire Council v Scottish IC [2013] UKSC 55).

There were two issues for the Supreme Court. First, what does ‘necessary’ mean when it comes to condition 6(1) of schedule 2 to the DPA (the condition most often relied upon in support of disclosing personal data to the public), which provides that:

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Giving the Court’s judgment, Baroness Hale said that it was obvious that condition 6 requires three questions to be answered: (i) is the data controller or the third party or parties to whom the data are disclosed pursuing a legitimate interest or interests?, (ii) is the processing involved necessary for the purposes of those interests?, and (iii) is the processing unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject? In her view, “it is not obvious why any further exegesis of those questions is required” (paragraph 18).

Further exegesis was, however, required because of the Council’s submissions as to how strictly the term “necessary” should be construed. Baroness Hale’s answer was entirely unsurprising (see paragraphs 25-28). “Necessary” has to be considered in relation to the processing to which it relates. If the processing involves no interference with Article 8 ECHR rights, then it might be thought that all that has to be asked is whether the requester is pursuing a legitimate interest in seeking the information (which was not at issue in this case) and whether he needs that information in order to pursue it. If the processing does engage Article 8 ECHR rights, then “it is well established in community law that, at least in the context of justification rather than derogation, “necessary” means “reasonably” rather than absolutely or strictly necessary”. None of this will come as a surprise – as, for example, Jon Baines has observed in his Information Rights and Wrongs post. Indeed, as Baroness Hale observed, it is unclear that the stricter standard of necessity for which the Council argued would have been any more favourable to it.

The second issue before the Supreme Court was a natural justice challenge. The Scottish IC had asked the applicant a number of questions during his investigation, and had also received letters supporting the request from a number of MPs. This information had not been shared with the Council.

Baroness Hale observed that it was common ground that the Commissioner has a duty to act fairly (see for example Glasgow City Council v Scottish Information Commissioner [2009] CSIH 73, 2010 SC 125). The Commissioner is entitled to make his own enquiries and formulate cases on behalf of applicants, but “he must, of course, give them notice of any new material which his inquiries have elicited and which is adverse to their interests” (paragraph 31). Her Ladyship further observed (paragraphs 31-32) that:

“31. I would add that the Commissioner is fulfilling more than an administrative function. He is adjudicating upon competing claims. And in Scotland, unlike England and Wales, there is no appeal to a tribunal which can decide questions of both fact and law. The Commissioner is the sole finder of facts, with a right of appeal to the Inner House on a point of law only. These factors clearly enhance his duty to be fair. If wrong findings of fact are made as a result of an unfair process, the Inner House will not be able to correct them.

32. However, it does not follow that every communication passing between the Commissioner and the applicant, or between the Commissioner and third parties such as Members of the Scottish Parliament, has to be copied to the public authority…”

In this case, there was no breach of natural justice, and the Council’s appeal failed on both grounds.

Lyons

Another of the more notable recent data protection cases is also Scottish. Additionally, it touches upon another of my observations (see here, for example) about the potential synergies and overlaps between the DPA and defamation. The case is Lyons v Chief Constable of Strathclyde Police [2013] CSIH 46 A681/10, and will be reported in the upcoming edition of the 11KBW/Justis Information Law Reports. In rough outline, the case concerned Mr Lyons’ complaints about two disclosures about him made by the police authority to regulatory/licensing bodies. The police had said that he was recorded on the Scottish Intelligence Database as having been involved in serious organised crime. Mr Lyons denied such involvement, and sued for defamation and damages under section 13 of the DPA.

His defamation claim failed because the police’s communications were made in circumstances which attracted qualified privilege, and were not tainted by malice.

The DPA claim failed too. The accuracy requirement of the fourth data protection principle had not been breached, because even if “Mr Lyons is involved in crime” were inaccurate, “Mr Lyons is recorded on the database as being involved in crime” could not be said to be inaccurate. The police’s reporting of that information arguably lent it some credence, but there was no indication on the facts of unequivocal endorsement of these statements such as to constitute the processing of inaccurate personal data by the police. Here the Court considered the Kordowski DPA/defamation case.

There was also an argument that disclosure of this information had been unfair, though (surprisingly) the case does not appear to have been pleaded as such. The essence of the unfairness argument was that, in Mr Lyons’ view, the police should have contextualised its disclosures by explaining to the recipients the source of the intelligence as to his alleged criminal involvement. The Court of Session dismissed this argument: the police could not sensibly disclose the identities of informants, given the DPA rights of the informants themselves, while Mr Lyons would not be entitled to learn through a subject access request who the informants were (see the exemptions under sections 29 and 31 of the DPA).

Here are a few interesting DPA points to emerge from the Court’s discussion. One is if a data controller endorses the veracity of inaccurate information obtained from someone else, that is not of itself a breach of the DPA (see paragraph 21). Some might query this, at least if applied inflexibly.

A second interesting point is that some might argue as follows: “to present decontextualised allegations in a manner which suggests you consider them credible could surely constitute unfairness. Perhaps you were not required to name your sources, but in the interests of fairness you could at least have made clear that you were passing on information obtained from others whom you considered to be credible”. Roughly that sort of argument seems to have been advanced here; no doubt the facts did not ultimately support it, but stepping back from the facts of this case, the (admittedly woolly and under-litigated) notion of fairness would arguably demand such an approach in many cases.

A third and final point of interest: the complainant relied on what he said were breaches by the police of a number of common law principles emerging from judicial review jurisprudence and the like. The Court was not impressed by their relevance to alleged DPA breaches, at least in the context of this case: see paragraphs 26-27, where the Court suggested that for there to be a DPA breach, there must be a particular DPA requirement which has been breached (though admittedly it did observe earlier in its judgment that ‘lawful’ in the context of the first data protection principle has no special meaning). Some might argue that fairness and lawfulness are designed to be broad enough to encompass principles outside of the black letters of DPA law. Indeed, Article 8 ECHR is increasingly the focus of arguments as to the lawfulness of processing: see for example the ICO’s enforcement notice concerning the use of ANPR cameras in the policing context, issued last week.

In other words, the DPA is not designed to be an entirely self-contained legal world, but rather to protect personal information by reference to all considerations having a bearing on what is being done with that individual’s information, whether or not they are listed by name in the DPA. This is not necessarily a point of disagreement with the Lyons outcome, but a broader observation about what kind of a creature the DPA is, or is intended to be.

Robin Hopkins (@hopkinsrobin)

Court of Appeal rules on damages for frustration at DPA breach

Posted on | by Robin Hopkins

On a day in which the remedying of privacy breaches of the kind considered by Leveson LJ dominated parliamentary debate, the Court of Appeal (Arden LJ, Lloyd LJ and Ryder J) delivered an interesting judgment on remedies for privacy breaches of the data protection variety.

Halliday v Creation Consumer Finance concerned Mr H’s appeal against a damages award to him under s. 13 of the Data Protection Act 1998. He had obtained default judgment against CCF for its breach of the DPA: it had accidentally and temporarily passed to a credit reference agency incorrect information about his allegedly having an unpaid debt of £1500 (Mr H and CCF had in fact resolved their dispute by that point). The judge at first instance awarded Mr H nominal damages of no fixed amount, but was not satisfied that there was evidence of reputational harm or prejudice to Mr H’s credit position. Mr H therefore received nothing in the way of substantial damages.

His appeal has been allowed. Nominal damages were set at £1 – as Panopticon understands it, this appears to have sufficed as ‘damage’ for s. 13(1) purposes, thereby entitling Mr H to compensation for distress under s. 13(2). He was awarded £750 in recognition of his distress and frustration at CCF’s wrongful processing, but there was no cogent evidence of him having suffered injury to feelings at the time, and CCF’s breach was a technical error rather than an intentional mis-statement. Hence the somewhat insubstantial sum by way of substantial damages.

Mr H sought to rely on Article 24 of Directive 95/46/EC which provides that member states must provide for sanctions where data protection rights have been infringed, but the Court of Appeal held that he could not seek direct enforcement of that provision in private proceedings, and that it was not the function of the civil courts to impose sanctions on data controllers – rather, their function under s. 13 of the DPA was to compensate data subjects.

It is understood that this judgment was delivered ex tempore, with a written judgment to follow, along with more Panopticon analysis.

Robin Hopkins

Central London NHS Trust: key points from the Tribunal’s first MPN case

Posted on | by Robin Hopkins

I reported earlier this week on the outcome of the first case of this type to reach the Tribunal. Here is my analysis of the key points.

Factual background

Central London Community Healthcare NHS Trust v IC (EA/2012/00111) concerned the first monetary penalty notice (MPN) to be appealed to the First-Tier Tribunal. The Trust’s appeal has been dismissed by the Tribunal (Professor Angel, Rosalind Tatam and Paul Taylor). The decision can be accessed here: Central London NHS Trust v IC EA20120111.

The background is that the Trust had, on some 45 occasions, faxed a list of palliative care in-patients to the wrong fax number (namely to that of a member of the public who notified the Trust and said he had destroyed the faxes – but he was never traced and destruction could not be confirmed). This was sensitive personal data: it included names as well as information about patients’ medical diagnoses, treatment and domestic situations.

The MPN

The IC found that the Trust had breached the seventh data protection principle, which requires that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The IC decided that the three preconditions for the exercise of his discretion to issue a MPN under section 55A of the Data Protection Act 1998 had been met here. These conditions are (i) there was a serious contravention of the DPA, (ii) this contravention was of a kind likely to cause substantial damage or substantial distress, and (iii) the contravention was either deliberate, or the data controller knew or ought to have known that there was a serious risk that a contravention would occur and would be of a kind likely to cause substantial damage or distress, but failed to take reasonable steps to prevent it happening.

The IC is empowered to impose MPNs of up to £500,000. In this case, the amount was £90,000.

The Tribunal’s jurisdiction

On the Trust’s appeal, one of the first issues for the Tribunal was the extent of its statutory powers under section 49 of the DPA (which mirrors section 58 of FOIA): the Tribunal agreed with the Trust that, as with appeals under FOIA, the Tribunal had jurisdiction to consider the matter de novo; it was not restricted to a review along public law lines. It also found that it could either allow the appeal, or substitute an alternative MPN (including one imposing a higher penalty than that imposed by the IC), or substitute an enforcement notice instead (paragraphs 36-39).

Alleged indication that no MPN would be issued

The only point of evidence in dispute was the Trust’s contention that the IC’s enforcement team had indicated during the investigation that no MPN would be issued. The Tribunal found that the Commissioner’s enforcement officer “did not give any serious indication or assurance that there would be no fine or MPN in this case which in any way excluded the IC from deciding to issue an MPN” (paragraph 46).

The IC’s decision-making process

The decision to impose a penalty is taken by a Deputy Commissioner, in consultation with an internal working party comprising various senior managers within the ICO and one of the ICO’s enforcement lawyers. Having decided that an MPN should be issued, the ICO determined the amount by reference to an internal, unpublished framework as follows:

(i) Serious = £40,000 to £100,000

(ii) Very serious = more than £100,000 but less than £250,000

(iii) Most serious = more than £250,000 up to the maximum of £500,000.

It decided that this case was in the “serious” category. Its methodology was then to take the midpoint of that band and consider any aggravating or mitigating circumstances.

As required by the DPA, the ICO then issued the Trust with a Notice of Intent to issue a MPN to the value of £90,000. The Trust accepted that a financial penalty was warranted, but disputed the amount, making submissions on mitigating factors. The ICO maintained its position and issued the MPN.

‘Assessments’ and the statutory bar under section 55(3A)

By section 55(3A) of the DPA, the IC may not use anything which came to his attention pursuant to his carrying out an ‘assessment’ under section 51(7) when deciding on whether an MPN can be imposed. The Trust argued that the IC’s investigation of its voluntarily-reported breach constituted an ‘assessment’.

The Tribunal considered the rival submissions on the legislative intent behind the bar imposed by section 55(3A) (though on this point it rejected the Trust’s invitation to take ministerial statements into account, on Pepper v Hart principles) and on the range of powers open to the IC. It preferred those of the IC: section 51(7) is directed at educating and advising data controllers, on the basis of a consensual engagement, with a view to avoiding future breaches of the DPA. The aim of the statutory bar provided for under section 55A(3A) is to prevent the IC from using information he obtains via the educational/advisory process provided for under section 51(7) to impose an MPN on a data controller. This case did not involve such an educational/advisory process. There was no assessment under section 51(7) (paragraphs 87-91).

The IC’s adherence to its own policy

The Trust did not contend that the IC failed to apply the statutory guidance on MPNs. It did, however, argue that it failed to consider or adhere to its own non-statutory policy on the reporting of breaches, which said that “the Commissioner will not normally take regulatory action unless a data controller declines to take any recommended action, he has other reasons to doubt future compliance or there is a need to provide reassurance to the public”.

Again, the Tribunal found for the IC: the statutory guidance was what really mattered, but in any event the IC had not departed from its own policies (paragraphs 102-103).

The IC’s exercising of its discretion

Where the conditions for the issuing of an MPN are met, the ICO still has a discretion as to whether or not to issue one. The Trust argued that the ICO had failed to exercise its discretion lawfully: there was no evidence of it taking into account relevant considerations.

The particular considerations relied upon by the Trust were (i) the ICO failed to take proper account of the overriding policy objective to encourage cooperative working between it and data controllers and failed to give sufficient credit for the Trust’s transparency and its co-operative stance, (ii) the effect of the ICO’s policy to impose high profile fines on data controllers who voluntarily report incidents and cooperate with its investigations is to discourage other controllers from being open and transparent, and (iii) the ICO’s approach to cases of this nature creates an unfair and unsustainable distinction between those data controllers who, when suspected of being in breach of the DPA, are required to submit to assessment notices or are requested to undergo consensual audits and those, like the Trust in this case, who voluntarily submit themselves to regulatory scrutiny. The Trust argued that the ICO had failed to think about these points.

The Tribunal rejected these criticisms as misconceived (paragraph 122). While the ICO’s process could have been more comprehensible, it could not be said to have overlooked relevant matters.

Consideration of mitigating factors

Next, the Trust contended that the ICO had failed properly to consider the mitigating factors on which it made submissions. Again, the Tribunal disagreed. The ICO had not erred in this way. In any event, the Tribunal did not seem to find the mitigating factors to be particularly forceful. It said:

“The fact that there was a voluntary notification cannot be given much weight when the Trust was under, in effect, an obligation to report (both to the ICO and to the NHS regionally). In any case it was reported over a month after the breach was discovered. Co-operation was the least that could be expected for such a serious breach. By the time the Trust informed the patients over three quarters were dead. There is still no absolute guarantee the sensitive information has been destroyed. The Trust’s mitigating features are therefore features to which we find the IC could not give much weight. In any case they are almost all post facto events and nothing about the wrongdoing” (paragraph 128).

The Trust’s criticisms of the IC’s decision on the amount of the MPN

The Trust said that the IC never explained its methodology for calculating the amount of the MPN – the three categories of seriousness, for example, were never mentioned, nor was the means of calculation. Once again, the Tribunal did not agree. It considered that the IC had made the principles behind its approach clear to the Trust prior to issuing the MPN.

Notable the Tribunal observed that “We find it interesting that the contravention is only categorised as “serious” and not “very serious” as it seems to us on the facts of this case the IC could have taken a more penal approach to the amount in question” (paragraph 138) and concluded that “We are satisfied that the ICO has reached a figure within a range of reasonable figures it could have considered” (paragraph 139). It also rejected the submission that the IC failed to take the mitigating factors into account when deciding on the amount of the MPN (paragraph 148).

Discount for early payment

The final issue considered by the Tribunal is of significant importance. MPNs provide for a discount (here: 20%) for early payment. If a data controller appeals an MPN and loses, can it still claim the discount? The Trust argued that, by refusing to keep the discount offer open pending the outcome of the appeal, the IC was penalising it for exercising its legal right to have its cased tested by a Tribunal. The Tribunal disagreed: “The purpose of the scheme would appear to us to encourage early payment and also to ensure there is an early resolution to the matter. There is no provision for a without prejudice payment” (paragraph 153). The IC did not err in refusing to keep the discount offer alive, and the Tribunal refused to restore that offer.

Data controllers who contravene the DPA in a serious or potentially serious way should take note of this last point, and indeed of the Tribunal’s first excursion into the new MPN appeal territory.

First-Tier Tribunal decisions are of course not binding on other First-Tier Tribunals. There will be more appeals against MPNs later this year. Panopticon will report on whether the principles from the Central London NHS Trust case are borne out by future decisions. For now, this decision is the best data controllers have to go on.

Tim Pitt-Payne QC appeared for the Trust. Anya Proops appeared for the IC.

Robin Hopkins

Section 7(9) DPA is about privacy, not employment disputes

Posted on | by Robin Hopkins

Disputes about subject access requests under section 7 of the Data Protection Act 1998 only rarely make their way to the Higher Courts. The leading – and often bedevilling – case of Durant is, for example, now 9 years old. Given this scarcity of precedent from the High Court and Court of Appeal, up-to-date illustrations of the judiciary’s approach to the DPA are most usefully sought in County Court judgments – see for example Panopticon’s post on the case of Elliot v Lloyds TSB Bank from earlier this year.

The most recent notable judgment is that of the County Court (HHJ May QC) in Professor Karim Abadir v Imperial College.

The applicant is an eminent econometrics professor employed by Imperial and has been since 2005. In 2011, Professor Abadir took issue when another professor at Imperial began to assess the academic staff by means of subjective metrics. The applicant objected to this, considering those metrics to be inappropriate for the academic staff in his department, and sought disclosure of the discussions that had taken place prior to their implementation.  Aggrieved, he made a subject access request. He was given some information, apparently of the human resources variety in the main. He objected to the nature of some of the comments which had been circulated about him and took the view that some of the emails he sought had been deleted. Imperial informed him in July that it would be implementing an email system upgrade and change of server in August. The applicant feared that some of the emails he wished to obtain would be permanently deleted. He sought an injunction preventing the systems work and requiring Imperial to search for and disclose to him “every document where reference is made” to him, including in deleted files.

Professor Abadir’s application was refused for a number of reasons.

Two reasons were matters of form, in that they related to what was missing from the application. The application was “objectionable” on the grounds that the applicant had not specified the nature of the underlying claim he would bring in due course. Also, assuming the underlying intended claim to be under section 7(9) of the DPA, the Judge expected the applicant to provide a draft order specifying exactly what information or searches he sought. The applicant had not done so. Instead, he asked for “generalised search of all computer systems, to include deleted data”.

Two further reasons were fatal in substantive terms. One was that there was no evidence to support the claim that the systems work would lead to the permanent loss of relevant emails. In fact, Imperial’s evidence contradicted that. There was thus no urgency to justify granting an injunction.

The final reason concerned the purpose or motive behind Professor Abadir’s claim. It was confirmed that his purpose was “to obtain disclosure of documents for purposes of deciding how to frame and pursue against Imperial College employment grievances which Prof Abadir believes he has. Put this way, the process by which documents are sought, given the purpose to which they are intended to be put, is much more akin to an application for pre-action disclosure.  It is disclosure, not right of access to personal data, which Prof Abadir is really seeking from Imperial College.”

On this point, HHJ May QC concluded that “disclosure is sought is not for the purposes of protecting Prof Abadir’s privacy but for the purposes of pursuing a claim against his employer.  To use the provisions of the DPA to pursue such a purpose is an abuse: Ezsias v The Welsh Ministers”.

Unusually, the Judge also awarded the University costs on an indemnity basis. In part, this was because the applicant had failed to identify the underlying cause of action, or to contact Imperial to make enquiries about its server changes before issuing his application for an injunction. HHJ May QC also concluded as follows: “to the extent that the injunction was sought for the purposes of supporting an intended action for DPA disclosure, it was clearly misconceived.  To seek disclosure under the DPA for the purposes of considering an employment claim is an abuse.  In any event, as DPA proceedings are for the purposes of protecting privacy, deletion/destruction of documents would not be contrary to those purposes, quite the reverse.”

It is apparent, therefore, that Courts continue to be unimpressed by the pursuit of subject access requests motivated by prospective litigation, and that they tend to see privacy concerns (rather than employment grievances) as the underlying rationale for the right of access to personal data. This will be welcomed by many data controllers.

Anya Proops appeared for Imperial College.

Robin Hopkins