Tag: data protection

Civil penalty notices: consultation

Posted on | by Ben Hooper

When the new monetary penalties regime under sections 55A-E of the DPA comes fully into force, the Information Commissioner will have power to impose a civil penalty on a data controller for a serious contravention of any of the data protection principles if – in essence – the contravention is (1) deliberate or reckless and (2) of a kind likely to cause substantial damage or distress.

 

The Ministry of Justice is currently consulting on what the maximum penalty under section 55A should be. £500,000 is proposed. Whilst this is clearly not an insubstantial sum, it needs to be compared with the fact that many other regulators have power to impose a penalty of up to 10% of an organisation’s turnover. If the data controller at issue has a turnover that is significantly above £5m, and – for example – a serious contravention has caused damage or distress to a very large number of people, the maximum penalty of £500,000 may begin to look a little on the small side. Indeed, the Commissioner may not even be able to go that far: the ICO’s draft guidance on the monetary penalty powers indicates at paragraph 7.4 that swift payment of the penalty will lead to a 20% reduction. So a data controller that decides not to contest the penalty may end up only paying a maximum of £400,000.

 

One final point. The penalties are to be paid into the consolidated fund (section 55A(8)). Thus, where the data controller is a central government body, the imposition of any size of penalty will have a slightly unreal quality to it, as the sum involved will simply return to the financial pot from which the body in question drew its funding in the first place.

 

WHEN WILL THEY EVER LEARN?

Posted on | by Timothy Pitt-Payne KC

We call them “data protection duck outs”.  The New Zealanders call them “BOTPAs” (standing for “Because of the Privacy Act”).  Organisations do something silly, and then blame it on data protection legislation.

There’s a nice recent example. A parcel was addressed to a 9 day old baby.  Initially the Royal Mail wouldn’t deliver it to her grandfather, apparently because the Data Protection Act required the baby to sign for it personally.  Not surprisingly, the ICO has confirmed that the Act does not require anything of the kind.

Abortion statistics: identification of patients and doctors held to be unlikely

Posted on | by Robin Hopkins

In 2003, the Department of Health significantly reduced the detail of publicly available statistics on abortion operations: for example, no information was any longer to be released about post-24-week abortions carried out on the grounds of foetal medical defects. The Department relied principally on s. 40 FOIA in refusing the Prolife Alliance’s request for more detailed data. The Information Tribunal has, however, ordered the statistics to be disclosed: see Department of Health v IC (Additional Party: the Pro Life Alliance) (EA/2008/0074). The Tribunal agreed with the Department that the requested abortion statistics, although entirely anonymised, did constitute personal data because they were not anonymous in the hands of the data controller. The Department’s principal concern, namely the inferential identification of doctors or patients, was not, however considered ‘likely’ in the circumstances. This factual finding meant that, in the Tribunal’s view, the release of the requested personal data was fair and lawful and that (under paragraph 6(1) of Schedule 2 to the DPA) the potential prejudice to patients and doctors was outweighed by legitimate third party interests in (inter alia) monitoring compliance with abortion law, identifying abortion trends, informing public debate and encouraging accountability of medical practitioners. The decision is of note for its detailed analysis of the ways in which individuals might be identified from statistical data, and for the Tribunal’s reliance on the Corporate Officer of the House of Commons litigation (in its various stages) for guidance on the balancing test under paragraph 6(1) of Schedule 2 to the DPA.

Media Law and Practice – new book from OUP

Posted on | by Timothy Pitt-Payne KC

Hot off the press is a new book from OUP on “Media Law and Practice”, edited by David Goldberg, Gavin Sutter, and Ian Walden. 

This is a multi-author book, written by a team of practitioners and academics.  It covers a wide range of media topics, including ownership, regulation, intellectual property, defamation, and commercial communications.       

I contributed a chapter on Information Law:  this discusses data protection, freedom of information, and human rights issues, including articles 8 and 10 of the Convention.  One of the book’s features is that it deals with new forms of communication (including blogging), as well as traditional print or broadcast media.  So I had to address questions such as, how would the “special purposes” defined in the DPA (ie artistic, journalistic and literary purposes) apply to web-based publications?

The impetus for the book comes from the Institute of Computer and Communications Law, based in the Centre for Commercial Law Studies, Queen Mary, University of London.  All three editors are members of the Institute.  It’s a major centre for research and teaching in areas related to information law, including intellectual property, telecoms regulation, computer law, and media law.

The book is available online from OUP’s website.

Court of Appeal judgment on Police Database

Posted on | by James Goudie KC

On 19 October 2009, the Court of Appeal, in Chief Constable of Humberside Police v Information Commissioner (2009) EWCA Civ 1079, allowed police appeals against a decision of the IC, upheld by the IT, that data on old minor convictions (of which there are probably about 1 million) must be deleted from the Police National Computer (“the PNC”). The Court of Appeal held that retaining information for police operational needs in the fight against crime and for other purposes was justified and did not infringe the data protection principles (“the DPP”) under the DPA 1998, especially principles 3 (personal data shall not be excessive in relation to the purpose for which they are procured) and 5 (personal data shall not be kept for longer than is necessary).

Waller LJ, applying the approach from the Bichard Inquiry, following the Soham murders, said, at paragraph 43: “If the police say rationally and reasonably that convictions, however old or minor, have a value in the work they do that should, in effect, be the end of the matter.”

Carnwath LJ referred to the importance in a case of this kind having the involvement of a Judge with direct and hands-on experience of the criminal system. Hughes LJ, with direct hands-on experience of both the criminal and family systems, summarised the position as being that it is for the data controller to determine the purpose(s) for which the data is processed; it is not open to the IC to impose his own determination of those purposes; the imposition of a concept of ‘core police purposes’ was misconceived; and in any event the proper purposes of the police in managing the PNC plainly include the retention of information for provision to others who have a legitimate need for it.

Hughes LJ emphasized practical considerations and in particular the value, in the public interest, of the existence of a single comprehensive record of convictions and of its being held by police forces acting collectively. Hughes LJ said, at paragraph 107: “Like both Waller and Carnwath LJJ, I take the clear view that if senior police officers with considerable operational experience are satisfied that even very old and comparatively minor convictions may sometimes be of assistance in police investigations, then unless that view is perversely or unreasonably held, it is not open to the Commissioner to substitute his own view of their potential use. But I should also add that the opinion expressed by the police witnesses in this case entirely accords with what is seen to be true from time to time in major criminal investigations. As was in evidence in these proceedings, Dame Janet Smith also reached a similar conclusion when considering the investigation into Dr Shipman. Such old convictions, if never subsequently repeated, may very well not be the kind of material which it is proper to put before a jury, … but that does not begin to mean that they have not been of use in the investigation. Quite apart from propensity (or lack of it) to offend in a particular manner, they are likely to be useful for other reasons, of which location and associates are but two simple examples. Moreover, the critical consideration is not the use of the conviction standing by itself, but its potential value in conjunction with other information pieced together by a skilled detective.”

Hughes LJ further observed that many others depend heavily, and reasonably, on the maintenance by the police of these records. Those others include (but are not limited to) the criminal courts, the family courts and those concerned with the protection of children and the vulnerable. He said that the criminal courts have a plain need for reliable and comprehensive information. The Rehabilitation of Offenders Act 1974 is expressly made not to apply to criminal proceedings. There are at least two situations in which the need for such records arises daily. The first is in sentencing. The second relates to the credit of witnesses, especially those relied upon by the Crown. The Secretary of State for Justice expressed the view in this case that “providing anything less than full information to the courts would potentially undermine the criminal justice process”. Hughes LJ agreed.

Hughes LJ also stated that the importance of multi-agency working to child welfare in general, and to child-centred family proceedings in particular, has been recognised for many years, has been the repeated subject of judicial and ministerial exhortation alike, and is difficult to overstate. It is, nowadays, the daily norm of cases in the family courts. The Rehabilitation of Offenders Act 1974 is expressly made not to apply to these proceedings either. It may well be that at times such co-operation throws up difficult questions about the extent of disclosure which a police force ought to make to social services or other child welfare professionals, but that is not a reason for failing to have available a comprehensive record in order to make a fully-informed decision about it.

As regards the vetting of potential employees, Hughes J said that, given the statutory framework, it is plain that it is part of the necessary public purposes of the PNC that it maintain a complete record of convictions etc to enable the statutory scheme to work.

 

 

Paying for the ICO

Posted on | by Timothy Pitt-Payne KC

Organisations that process personal data must notify the Information Commissioner’s Office, and pay an annual fee. Up to now the fee has been £35, for all data controllers. With effect from 1st October 2009, some large data controllers will instead pay a fee of £500.

The changes are made by the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (SI 2009 No 1677). These divide data controllers into two groups: tier 1 organisations, which pay £35, and tier 2 organisations, which pay £500. All data controllers not in tier 2 are in tier 1.

A data controller will be in tier 2 if it satisfies the following three conditions: (i) it is not a charity or a small occupational pension scheme; (ii) it has been in existence for more than a month; and (iii) it has a turnover of £25.9 million or more for the data controller’s financial year and 250 or more members of staff, or it is a public authority with 250 or more members of staff. There are detailed provisions as to how turnover and staff numbers should be calculated for these purposes.

An explanatory memorandum issued by the Ministry of Justice gives the policy background to the change. Essentially it argues that large organisations cost more for the ICO to regulate, and so should pay a higher fee. The memorandum suggests that about 4% of data controllers will pay the higher fee, and that the extra annual income to the ICO will be about £4.7 million.

 A more interesting question perhaps – and one that the new Regulations do not affect at all – is who is obliged to notify the Information Commissioner. Anyone who uses a computer to process personal data is a data controller and obliged to notify, unless they are subject to an exemption. Under section 36 of the Data Protection Act 1998, personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the duty to notify (and indeed from most of the rest of the Act as well). This is sometimes referred to as the “domestic use”, or “Christmas card list” exemption: if you keep your family’s Christmas card list on a computer, you do not have to notify the ICO that you are processing personal data, and you can spend the £35 on something else instead.

But what if you put personal data on to the internet? The Lindqvist case in the European Court of Justice suggests that the domestic exemption would not apply here, because information posted on the internet is available to all the world. Since Lindqvist was decided, there has been an explosion of blogging, and social networking, all internet-based. How much of this activity would come within the domestic use exemption remains unclear.