data protection – Page 9

Launch of Information Law Reports

Posted on 19th July 2011 | by Rachel Kamm

The Information Law Reports launched on 14 July 2011, with the following announcement on 11KBW’s website:

Leading chambers 11KBW and legal publisher Justis Publishing are collaborating in a first for both organisations: the creation of a new series of law reports available both in bound volumes from next week and on the established Justis platform from this morning.

Information law is ever more important, seeking to balance the “right to know” and the “right to be left alone” in an age of massive databases and global information flows. We all want to protect our own privacy; but we also want to understand how public authorities make decisions and spend our money. This new series will help professionals grapple with these issues.

Timothy Pitt-Payne QC, a barrister at 11KBW and one of the editors of the new reports, said: “There is a growing case-law, generated by the specialist Information Rights Tribunal and the higher courts. Navigating this material and quickly identifying the most important recent developments is increasingly challenging. The Information Law Reports seek to meet this need, bringing together all the most important cases in a single source. 11KBW are delighted to be working with Justis on this much-needed project.”

Masoud Gerami, Managing Director of Justis Publishing, said: “We have had a number of significant milestones in our 25-year history, mostly associated with innovation and developments which have changed legal information dissemination for the better. I am delighted that another milestone has been added to our list of achievements by producing the new series of Information Law Reports in association with 11KBW, the leaders in this increasingly important field. I believe that the complementary nature of the expertise from the partners in this project is the ideal requirement for any successful product or service, and we look forward to a continued relationship with 11KBW.”

He added: “This is also the first time that Justis Publishing has produced a product in hard copy, and we are very excited about the possibilities that the combination of hard copy and online versions will present.”

For further information, please call +44 (0)20 7267 8989 or email press@justis.com.

PERSONAL DATA: CRUCIAL POINTS FROM THE ‘ABORTION STATISTICS’ CASE

Posted on 14th June 2011 | by Robin Hopkins

Judgment in Department of Health v IC [2011] EWHC 1430 (Admin) – the ‘abortion statistics’ appeal – was handed down on 20 April this year. Cranston J’s judgment has now been made available. The following salient points from that judgment may be of use to those interested in the concept and extent of ‘personal data’ under s. 40 FOIA and the DPA – especially when looking at the grey area of statistics or other anonymous data which is rooted in or derived from other data which is more overtly personal. The judgment is also essential reading for anyone grappling with the application of the leading House of Lords decision on this subject, Common Services Agency v Scottish Information Commissioner [2008] UKHL47, [2008] 1 WLR 1550 (‘CSA’). (‘Grappling’ is probably apt: even Cranston J conceded that “it would be wrong to pretend that the interpretation of the CSA case is an easy matter”).

Briefly by way of background: the Department refused a request for detailed statistics on the number of late-term abortions carried out on prescribed grounds. It relied on s. 40 FOIA, basing its case on the risk that, given the ‘low cell counts’ in these categories, the relevant patients and/or doctors might be identified by those sufficiently motivated to do so. The Commissioner found that these statistics were not personal data. The Information Tribunal agreed with the Department that they did constitute personal data, but was not satisfied that s. 40 was effective, as there was insufficient risk of identification.

On the Department’s appeal to the High Court, Cranston J agreed with the Commissioner that these statistics are not personal data.

One route to that conclusion was that advocated by the Commissioner, namely to adopt the approach of Baroness Hale in CSA: anonymised statistics remain personal data and therefore subject to the protection of the DPA in the hands of the data controller (who possesses the underlying data from which individuals could be identified) but not in the hands of the general public (who do not). This approach commended itself to the Upper Tribunal in the recent case of All Parliamentary Group on Extraordinary Rendition v Information Commissioner [2011] UKUT 153 AAC (on which, see my post here).

Cranston J, however, rejected that route, as it was the reasoning of Lord Hope rather than Baroness Hale in CSA which had attracted the majority’s support in that case. Lord Hope’s approach can be paraphrased as follows. The definition of personal data under s. 1 DPA provides for two means of identification: either from the data itself (inapplicable in the case of anonymous statistics) or from “from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”. Lord Hope’s approach to situations such as this is to ask: does the ‘other information’ (if provided to the hypothetical member of the public) add anything to the statistics which would enable them to identify the underlying individuals? If the answer is no, the statistics are not personal data. The underlined words are important: if identification can be achieved from the ‘other information’ in isolation (rather than when added to the statistics) then the statistics themselves are truly anonymous, and are not personal data. The statistics in this case failed Lord Hope’s test, and were thus not personal data.

Cranston J’s conclusion was that the Tribunal had been correct to conclude that the data was ‘truly anonymised’ – but it had erred in treating this as personal data which had been truly anonymised. The Department contended that, because it held the underlying identification data, the abortion statistics remained personal data in all circumstances. Cranston J rejected this submission, stating that:

“If that were the case, any publication would amount to the processing of sensitive personal data… Thus, the statistic that 100,000 women had an abortion in a particular year would constitute personal data about each of those women, provided that the body that publishes this statistic has access to information which would enable it to identify each of them. That is not a sensible result and would seriously inhibit the ability of healthcare organisations and other bodies to publish medical statistics”.

In going on to dismiss the Department’s other grounds of appeal, Cranston J made a number of other points of general application. For example, in rejecting the criticism that the Tribunal had failed adequately to engage with the Department’s expert evidence, Cranston J said this:

“To begin, the issue before the Tribunal was one of assessment: the likelihood that a living individual could be identified from the statistics. That was in my judgment only partly a question of statistical expertise, as regards matters such as the sensitivity of the data. Partly, also, it was a matter of assessing a range of every day factors, such as the likelihood that particular groups, such as campaigners, and the press, will seek out information of identity and the types of other information, already in the public domain, which could inform the search. These are factors which the Tribunal was in as good a position to evaluate as the statistical experts, a point which one of the Department of Health’s experts conceded. The analysis also applies to the evidence of senior civil servants.”

As regards the Department’s contentions that conditions from Schedules 2 and 3 of the DPA were not met, their points were “wounding” to the Tribunal’s judgment, but not “fatal”, in light of the evidence at the Tribunal hearing. Finally, Cranston J described the Department’s argument based on Article 8 ECHR as “very much a jury argument”.

Interestingly, on the same day as judgment was given in this case, the High Court (Kenneth Parker J) gave judgment in R (BT & Anor) v The Secretary of State for Business, Innovation and Skills [2011] EWHC 1021 (Admin) – BT’s unsuccessful application for judicial review of the Digital Economy Act 2010 (on which, see my piece here). One of the grounds of challenge was alleged non-compliance with the Data Protection Directive. In that judgment, IP addresses (anonymous strings of numbers linked to internet subscribers’ accounts) were treated as personal data even in the hands of copyright owners who possessed only those IP addresses. This was by application of the definition of personal data under the Directive: here copyright owners were deemed likely to come into possession of the underlying personal data when taking legal action against the individual internet subscribers who downloaded content in breach of copyright. This conclusion was reached independently of the Lord Hope test. Note, however, that it seems from the judgment that this question – are IP addresses always personal data or not – was not argued in full before Kenneth Parker J. There is talk of a potential appeal, so the application of these principles to IP addresses might be considered in the courts again before too long.

Robin Hopkins

EXTRAORDINARY RENDITION UPPER TRIBUNAL APPEAL: LATE RELIANCE, PERSONAL DATA & OTHER ISSUES

Posted on 26th April 2011 | by Robin Hopkins

The All Party Parliamentary Group on Extraordinary Rendition (APG) requested information from the Ministry of Defence on (i) memoranda of understanding between the UK and the governments of Iraq, Afghanistan and the USA regarding the treatment of prisoners detained in the conflicts in Iraq and Afghanistan, (ii) a copy of the Detentions Practices Review, (iii) a copy of the UK’s policy on capture and joint transfer, and (iv) statistics on detainees held in Iraq and Afghanistan. The MOD refused the requests, relying on a number of exemptions under FOIA. For the most part, the Commissioner agreed. APG’s appeal was expedited to the Upper Tribunal and heard by Blake J, Andrew Bartlett QC and Rosalind Tatam.

Except as regards request (iii), its appeal has succeeded, to a limited but substantial extent. The Upper Tribunal has ordered disclosure or significantly more information than that ordered by the Commissioner.

Its judgment (available here) is complex. Some of the key points of interest are as follows.

Late reliance

The Upper Tribunal was mindful of the decision of a differently constituted Upper Tribunal in the DEFRA/Brikett appeals, where it was held that public authorities may rely on exemptions as of right at any stage in proceedings. In this case, the Upper Tribunal did not need to decide the issue of late reliance, but it did confess to having “some general concerns” about such an approach, which threatens to “turn the time limit provisions of ss. 10 and 17 almost into dead letters”, and “can also create a strong sense of injustice”. The internal review mechanism provides sufficient time for the public authority to make its mind up; if new points are taken thereafter, “then fairness requires that the requester should be allowed to add to the terms of his complaint under s. 50(1)”.

Cost of compliance under s. 12 FOIA

The Upper Tribunal approved principles from Urmenyi v IC and LB Sutton (EA/2006/0093) concerning the Commissioner’s enquiries into the assumptions behind the public authority’s estimate, and from Roberts v IC (EA/2008/0050) about the activities falling within s. 12 and the reasonableness of estimates.

Late reliance on s. 12 is a different matter to late reliance on exemptions under Part II of FOIA. Delay by a public authority robs the requester of the opportunity to split the request into parts separated by 60 days, thereby avoiding s. 12. The cost exemption “only has meaning if the point is taken early on in the process, before substantial costs are incurred” – it looks at whether costs would exceed, not whether they have been exceeded.

In the present case, the MOD’s estimate was not reasonable because it was based upon a search for a broader class of information than that which was actually requested.

Prejudice to international relations under s. 27 FOIA

The Upper Tribunal was not persuaded that this exemption was effective: “since the maintenance of the rule of law and protection of fundamental rights is known to be a core value of the government of the United Kingdom, it is difficult to see how any responsible government with whom we have friendly relations could take offence at open disclosure of the terms of an agreement or similar practical arrangements to ensure that the law is upheld”.

Legal professional privilege under s. 42 FOIA

This exemption was engaged, and the public interest in favour of disclosure of the UK’s Detention Practices Review did not outweigh the public interest in maintaining the exemption.

Bodies dealing with security matters under s. 23 FOIA

The MOD successfully relied on this exemption – including where it was relied on “late”.

Personal data under s. 40 FOIA and the conditions in Schedule 2 DPA

Information on the dates and locations of individual cases of detention and prisoner transfer would not enable identification of those individuals, and was thus not personal data. If it had been personal data, condition 6(1) from Schedule 2 DPA would have been met.

APG in fact submitted that conditions 4, 5(a), 5(d) and 6(1) would be met by disclosure of statistics on detainees. The MOD submitted that a number of these conditions could not be relied on in the context of a request under FOIA because the public at large (to whom disclosure under FOIA is deemed to be made) cannot fulfil these conditions. The Upper Tribunal disagreed: at least some of these conditions can be fulfilled by a member of the public, and that is sufficient.

APG further relied on s. 35(2) DPA, which provides an exemption from the non-disclosure provisions of the DPA where disclosure is “necessary for the purposes of establishing, exercising or defending legal rights”. The Upper Tribunal confirmed that “establishing” for these purposes had the sense of “vindicating” rather than merely determining what the relevant rights are.

Where data is anonymised, it continues to attract the protection of the data protection principles insofar as it is in the hands of the data controller (who holds the key to identification of the otherwise anonymous data subjects). “But outside the hands of the data controller, the information is no longer personal data, because no individual can be identified… the best analysis is that disclosure of fully anonymised information is not a breach of the [DPA] because at the moment of disclosure the information loses its character as personal data”. The publication of truly anonymised or other “plain vanilla” data therefore does not involve “processing of personal data” for DPA purposes.

Related judgments

On the late reliance issue, permission to appeal to the Court of Appeal is being sought in the DEFRA/Birkett case.

On the s. 40 FOIA issue, the Upper Tribunal’s decision needs to be read in conjunction with the High Court’s decision (also handed down very recently) in the Department of Health’s “abortion statistics” appeal.

TWO HIGH COURT ‘PERSONAL DATA’ JUDGMENTS: DIGITAL ECONOMY ACT 2010 AND ABORTION STATISTICS

Posted on 20th April 2011 | by Robin Hopkins

The High Court has today handed down two judgments of some significance in the context of personal data.

This morning, Kenneth Parker J gave judgment in the application brought by BT and TalkTalk for judicial review of the Digital Economy Act 2010 (on which, see my earlier discussion here). The Act seeks to combat illegal file-sharing by allowing copyright owners to detect apparently unlawful online activity and report it to the suspect’s internet service provider, who must then warn the suspect against repeat infringements. The claimants contended, among other things, that this regime breached EU data protection law. Their claim failed on this and three other grounds, succeeding only with their fifth ground, which contended that internet service providers should not have to foot 25% of the bill for the regime imposed by the Act. Read the DCMS’ press release here.

This afternoon, Cranston J gave judgment in the “abortion statistics” appeal (on which, see my earlier Panopticon post here). The Information Tribunal had upheld the Commissioner’s decision to order disclosure of “low cell count” statistics as to the number of abortions carried out on specified grounds. Argument had focused on the risk of doctors, and in particular patients being identified. The Department of Health’s appeal to the High Court was dismissed. The judgment represents a notable development in jurisprudence on personal data.

More analysis to follow when these judgments are made available.

THE EVOLVING BATTLE AGAINST ILLEGAL FILE-SHARING: SOME DATA PROTECTION OBSERVATIONS

Posted on 3rd March 2011 | by Robin Hopkins

Late last year, Julian Wilson blogged about the Digital Economy Act 2010, and the judicial review challenge to its compliance with EU law – including data protection law. With those proceedings drawing near, I have written a thought piece for Practical Law on some of the related issues, available here.

DATA PROTECTION IN THE UK: CURRENT AND FUTURE CONCERNS

Posted on 25th February 2011 | by Robin Hopkins

The British Medical Association has expressed concern this week about the Health and Social Care Bill – in particular, about its approach to data protection and the sharing of patients’ medical information. The Bill proposes a new “information standard” for the NHS which, according to the BMA, shows that “the Government has decided to place its desire for access to information over the need to respect patient confidentiality”. The new law would empower the Secretary of State to obtain such information as he considers it necessary to have; it would also widen the access to medical information by the NHS Commissioning Board, NHS Information Centre and local authorities. More detail on the proposed changes can be found in articles in the Daily Telegraph here, and the Guardian here.

The BMA wants to see the Bill amended: “so that it enshrines the need for explicit patient concent to any disclosure of information, unless the information has been properly anonymised or there is an overriding public interest.” The Department for Health, on the other hand, is confident that the proposals would preserve confidentiality and comply with the data protection law. Presumably, the Department means data protection law as implemented in the UK. At the 11KBW Information Law Seminar last week, I discussed the tension between the narrow approach to data protection that has prevailed under UK common law since Durant, and the considerably wider approach taken at a European level (and favoured domestically by the Information Commissioner).

On this subject, there is a very interesting report on Amberhawk this week, available here. This sets out in some detail the European Commission’s concerns about the UK’s apparently “bare minimum” approach to implementing its data protection obligations. It’s not yet clear what the Commission will do about this, but it appears to be only a matter of time before negotiation or confrontation on this issue comes to a head.

WordPress + Bootstrap

Tag: data protection