Roy Greenslade has posted a very interesting piece this afternoon on his blog on the Guardian website about a purported instance of “contracting out” of FOIA and DPA rights. According to his piece, Cheshire West and Chester Council has signed a compromise agreement with a former employee in which he or she contracts not to make requests to the Council under FOIA or the DPA (the EIR is not mentioned). The Council is confident that these provisions are effective. The ICO takes the opposite view – I suspect it will not be alone in doing so. Click here to read the piece.
Tag: data protection
BIOMETRIC INFORMATION IN SCHOOLS
In my post yesterday about the Protection of Freedoms Bill I referred to the provisions about biometric information in schools. I asked why this subject had been singled out for attention in the Bill, and whether there was any evidence that the current situation was unsatisfactory.
Action on Rights for Children (ARCH) have just posted on their website a very interesting briefing on the subject: see here. This is clearly an issue that has been of concern to ARCH for some years, and their paper gives an overview of developments since 2001. ARCH welcome the proposal to introduce consent into the process of taking children’s biometric data, but suggest that ensuring any consent is valid and informed will present a considerable challenge.
PERSONAL DATA OF WHISTLEBLOWING CIVIL SERVANTS: REDACTION AND FAIRNESS
Those considering the disclosure of personal data in a civil service context will wish to pay close attention to last week’s decision in Dun v IC and National Audit Office (EA/2010/0060). This is the latest Tribunal exercise in forensic scrutiny of fairness under the “personal information” exemption at section 40 (applied in tandem with the first data protection principle under the DPA).
The disputed information concerned the NAO’s enquiry into the Foreign & Commonwealth Office’s handling of employee grievances of a whistleblowing variety, i.e. those in which the employee had raised concerns as to “the proper conduct of public interest, fraud, value for money and corruption in relation to the provision of centrally-funded public services”. The request for information was triggered by the FCO’s inadvertent publication on its intranet of a “track changes” version of the draft report sent to it by the NAO: this tended to suggest that the FCO had sought not only to correct points of fact in that draft report, but also to influence its conclusions.
Unfairness of grievance and investigation information was pleaded based largely on the expectations of the complainants that their personal data would not be disclosed, and on the distress of their potentially being perceived as “trouble makers”.
A number of categories of arguably personal data were examined: junior civil servants’ names (outcome: don’t disclose), junior civil servants’ roles or job titles (outcome: disclose), contact details (outcome: don’t disclose, except for that part of an email address containing the name of a person whose name was otherwise to be disclosed), details of complaints and criticisms of employees (outcome: disclose in sufficiently redacted form).
The issue of redaction turned on whether disclosure in redacted form would preserve anonymity or achieve fairness – the NAO and IC had said no, but the Tribunal disagreed. It found that disclosure of whistleblowing case information in redacted form would be fair where (i) only those involved would be able to identify the persons being referred to, and (ii) those involved would not learn anything from the disclosed material which they did not know already.
This case is another instance of the established position that disclosure of the names of senior civil servants (here Grade 5 or above) will generally be fair, whereas those of their more junior colleagues would not. A note of caution here, however: the Tribunal was clear that no blanket policy should apply, and that fairness depends on the particular responsibilities and information with which the case is concerned.
One interesting aside: what of a civil servant who was junior at the time the information was created, but has since been promoted? Generally, subsequent events should not make a difference, but not necessarily: the Tribunal observed that it could “envisage a scenario where it is fair to disclose an earlier document in order to refute protestations of ignorance from the same individual who later becomes more senior and accountable”.
SCOTTISH GOVERNMENT ISSUES PRIVACY GUIDANCE
The Scottish Government has published its guidance document on Identity Management and Privacy Principles. The guidance is aimed at both public sector policy makers and with those involved in devising or operating systems for proving or recording identity. Key principles include:
- For services which are used frequently and for which identification is needed, users should be required to register only once. Thereafter, unless there is a statutory requirement to prove identity, a person should generally be able to access the service by authenticating themselves using a token (such as a bus pass or library card) that proves their entitlement without revealing personal information. In other circumstances, a user name and a password may be required.
- A Privacy Impact Assessment (PIA) or proportionate equivalent should be conducted and published prior to the implementation of a project which involves the collection of personal information.
- Where a public body has a contract with the private sector or the third sector, the contractor must be contractually bound to adhere to best practice as outlined in the guidance.
- The creation of centralised databases of personal information is to be avoided.
- If a public service organisation needs to link personal information from different systems and databases (internally or between organisations), it should avoid sharing persistent identifiers. Instead, other mechanisms – such as matching – should be considered.
WISE MEN, ANGELS AND SHEPHERDS
The Information Commissioner has produced a Good Practice Note on the taking of photographs in schools. The ICO press notice gives a seasonal example: “Having a child perform at a school play or a festive concert is a very proud moment for parents and is understandably a memory that many want to capture on camera. It is disappointing to hear that the myth that such photos are forbidden by the Data Protection Act still prevails in some schools. A common sense approach is needed – clearly, photographs simply taken for a family album are exempt from data protection laws. Armed with our guidance, parents should feel free to snap away this Christmas and stand ready to challenge any schools or councils that say ‘Bah, Humbug’ to a bit of festive fun.” The guidance states that the Data Protection Act is unlikely to apply in most situations where photographs are taken by parents in schools, although it does apply when photographs of children are taken for official use by a school or college (such as for issuing identification passes). The ICO advises that in the other small number of instances where the Data Protection Act 1998 does apply, it will usually be sufficient for the photographer to obtain permission from the parent or individual to take a photograph. The guidance is available here: https://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/taking_photos.pdf.
This post is also available on 11KBW’s education law blog: https://www.education11kbw.com/.
BACKDOOR ATTEMPT TO OBTAIN IRAQ WAR CABINET MINUTES FAILS
The minutes of the Cabinet meetings at which it was decided to go to war in Iraq have resurfaced for consideration by the Tribunal. First time round, the Tribunal agreed with the Commissioner that the minutes should be released, but the final word went to Jack Straw, by means of a ministerial veto – which was not subject to a judicial review challenge – issued under section 53 FOIA.
The requester in that case subsequently sought a backdoor route to the minutes, by requesting them under FOIA from the ICO itself. He also sought “background papers which show the processes of thought behind the Information Commissioner’s conclusion that the Cabinet minutes in question should be disclosed”. The ICO did not hold the minutes themselves, but it did hold some handwritten notes made by the then Commissioner, Richard Thomas, and by an ICO caseworker when visiting the Cabinet Office to inspect the minutes. It also held a confidential annex to the Decision Notice, which fell within the veto. All of these he refused to disclose.
The usual FOIA complaints and appeals process ensued, with the Commissioner issuing a decision notice in respect of his own refusal, and then defending that notice before the Tribunal in Lamb v IC (EA/2009/0108).
The basis of the refusal was section 44 FOIA, which provides that information is exempt if its disclosure is “prohibited by or under any enactment”. The Commissioner relied for the latter on section 59 of the DPA, which says that the Commissioner may not disclose information he obtained under the auspices of the Act “unless the disclosure is made with lawful authority”, which arises where “having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”.
As the Tribunal accepted, this is a much higher threshold than the usual public interest test under FOIA: under section 59, there is effectively a presumption against disclosure.
The Tribunal was satisfied that this information was “obtained from” the Cabinet Office, notwithstanding the Appellant’s challenge on that point.
It also agreed with the Commissioner’s application of section 59. Much of the Appellant’s argument turned on the importance of the material he sought. This, said the Tribunal, overlooked the point that the Commissioner had already decided in the Appellant’s favour concerning the Cabinet minutes which he sought. The Tribunal also commented that:
“It is no part of the freedom of information regime to provide a mechanism by which a party who prosecuted a successful complaint to the Information Commissioner in the past may have his or her winning margin reassessed in the light of events subsequent to the date of the original victory”.
The Tribunal did not comment on whether the mere existence of the veto gave rise to the engagement or effectiveness of section 59. Nor did it speculate as to the circumstances in which reliance on section 59 could be defeated – although the wording of that section clearly envisaged this prospect.