Important new privacy judgment: police retention of protestor’s data not an Article 8 infringement

The Admin Court (Gross LJ and Irwin J) has handed down judgment this week in Catt v Association of Chief Police Officers and Commissioner of Police of the Metropolis [2012] EWHC 1471 (Admin). It is an extremely important judgment on Article 8 ECHR in the context of personal information retained for policing purposes. It is also notable for its analysis of protest as an inherently public activity.

The background

ACPO launched a National Domestic Extremism Database containing information provided by police forces. The Metropolitan Police subsequently assumed responsibility for the database. The database contained information relating to the attendance by the claimant (an 87-year old protestor of good character) at various political protests made by a group called “Smash EDO”. Smash EDO opposes a US arms manufacturer with a factory in Brighton; its activities have often involved violent disorder and criminality (though apparently not by the claimant), necessitating a substantial police presence. Police officers overtly gathered information (including photographic and video material) at those protests. They then compiled reports on the protests, identifying a number of individuals including the claimant. The information at issue in this case comprised those sorts of reports – they were about incidents rather than the claimant per se, although the claimant was identified in the reports. The defendants retained that information pursuant to the statutory Code of Practice on the Management of Police Information, made under the Police Acts 1996 and 1997, and associated Guidance on the Management of Police Information.

The issues

The overarching issue was whether this infringed Mr Catt’s rights under Article 8 ECHR, the right to respect for private life.

It is important (if not entirely surprising) to note how the parties and the Court saw Article 8 and the Data Protection Act 1998 interacting (see paragraph 6(iv)). All agreed that the DPA was theoretically in play, but added nothing: if the Article 8 claim succeeded then the DPA claim was not needed; if Article 8 was engaged, but the interference was justified, then the DPA claim would automatically fail; if Article 8 was not engaged, the prospects of success under the DPA were negligibly remote.

The issues were therefore: (i) whether there was an interference with the claimant’s rights under Article 8(1), and (ii) if so, whether this interference was justified. The Court said no on both counts, by application of the authorities to three crucial findings.

Crucial findings

First, the Court accepted the need for such information to be retained by the police. Gross LJ said this at paragraph 19:

“… the use of intelligence is a fundamental policing tool.  Investigators need the ability to identify relationships within protest groups. Likewise, they need to be able to identify individuals associated with the use of particular tactics, together with those with a propensity to violence, disorderly behaviour and organised coordinated actions.  Although Mr. Catt has not been convicted of any offence, the evidence, which again I accept, is that his close association with violent members of Smash EDO and knowledge of this association is of intelligence value.  Such knowledge forms part of a “far wider picture of information”… needed by the police, inter alia, to investigate incidents of criminality and to assist the policing of future events.”

Secondly, “the essential nature of such activity [protesting] is that it is of a public nature. Indeed, its very object is to make others aware of his views and the causes to which he lends his support” (paragraph 36).

Thirdly, given the violent disorder which characterised Smash EDO’s activities, it was reasonable to expect the police to gather and retain such information. This was especially so as this information had been gathered by over rather than covert policing.

Issue 1: Article 8(1) neither engaged nor infringed

Given those findings, the Court concluded that the claimant’s rights under Article 8(1) were not engaged at all. The claimant’s reliance on R (Wood) v Commr of Police of the Metropolis [2009] EWCA Civ 414 did not assist: the facts were different, and it would be “unreal and unreasonable” to find an infringement of Article 8(1) in the present case.

Issue 2: interference would in any event be justified

The Court went on to conclude that even if there had been an interference with Article 8(1), this would be justified. The claimant had argued inter alia that he was not personally suspected of criminality and that there was no democratic oversight of the database system. The defendant argued inter alia that, given Smash EDO’s activities, the retention of this sort of information – police reports as opposed, for example, to photos or video material – was reasonably necessary and proportionate.

Gross LJ (with whom Irwin J agreed) had “no hesitation in concluding that any interference with Mr. Catt’s rights was amply justified under Art. 8.2”.

His reasons included the following (paragraph 64):

“Any interference with Mr. Catt’s Art. 8.1 rights was at the margins. The reports, the product of overt policing, did no more than record Mr. Catt’s public activities, the very object of which was to convey his views to as wide an audience as possible.  The reports were compiled and retained for intelligence purposes, in accordance with the Code and the Guidance, with a view to an appropriate police response to a campaign marred by serious, persistent criminality and posing a significant public order problem.”

Irwin J agreed that there was no expectation of privacy here, applying the approach in Campbell v MGN [2004] UKHL 22.

At paragraph 70 he added that it was not easy to see “… how it can affect the engagement of Art 8.1 that the material is recorded by police officers as opposed, say, to journalists; or collated and held within the National Extremism Database, as opposed to a local history archive in the town where the demonstrations have been held.  The latter distinction was advanced by Mr Owen (“the entries were not recorded on any database…”).  The issue is not whether the individual concerned likes or dislikes the thought of the data being held by this or that body: the issue is whether a reasonable expectation of privacy arises.  In my judgment, it does not arise in respect of any of the information in this case.”

Irwin J did, however, add this observation at paragraph 70, which might give rise to interesting arguments in future cases on such issues:

“Different questions might arise if material recorded in that context were collated with material which was private in its nature.  That does not arise in this case.”

What about ongoing retention of this information?

Gross LJ thought it sensible for the police to review its retention of this sort of information when the Smash EDO campaign concludes, but he agreed with Irwin J’s comments at paragraph that 73:

“… even when the Smash EDO campaign ends, it may yet be justifiable to retain some or all of this information.  The picture here is that there are connections between this group and parts of the animal rights movement, active before this group was formed.  It may be a legitimate function of intelligence to keep records of this group after it has ceased to be active, the better to understand the risks associated with after-coming groups with overlapping membership.  To my mind, there is no expectation that a review at a suitable point in the future will conclude otherwise.”

Robin Hopkins

DATABASE RIGHTS AND BREACH OF CONFIDENCE

The Chancery Division has considered the scope of the database rights in the Copyright, Designs and Patent Act 1998  in Forensic Telecommunications Services Ltd v Chief Constable of West Yorkshire [2011] EWHC 2892 (Ch).

The Claimant was a forensic services company, which recovered digital evidence from mobile phones for criminal investigations. It had a list of the permanent memory absolute addresses for different types of phone (known as PM Abs addresses) and it created software from this list. The Claimant had granted the security service a licence to use the software, but this did not extent to law enforcement agencies. A police officer (who was the Second Defendant to the claim) received several PM Abs addresses from a security operative and he posted them on the internet. Other law enforcement officers added to the list. The police officer created a list which contained 32 of the Claimant’s 33 PM Abs addresses. The police officer used this list to create software that was similar to the Claimant’s software.

The Claimant issued a claim against the police officer’s force (the Chief Constable of West Yorkshire) and the police officer personally, alleging infringement of its copyright and database rights.

The Court found that no copyright subsisted in the individual PM Abs addresses because the skill, judgement and labour expended in ascertaining the addresses was not of the right kind to attract copyright protection. The PM Abs list was however a database because the addresses were systematically arranged and individually accessible (meeting the test in section 3A of the Copyright, Designs and Patents Act 1988) and therefore it was not protected by copyright. The Claimant had made a substantial investment in obtaining and verifying the data on the list and therefore a database right subsisted in the list. The police officer had extracted and re-utilised a substantial part of the database and thereby infringed the Claimant’s database right. The police force was vicariously liable for this act of infringement.

The Claimant also succeeded in a claim for breach of confidence against both Defendants. The PM Abs list had the necessary quality of confidence, since it was valuable information collated by  the Claimant through the exercise of skill, judgement and labour which was not in the public domain. The police officer had misused this confidential information by posting the list on the website forum and making copies of it for his own use. The police force was again vicariously liable for the police officer’s actions.

CREATION VS MERE SWEAT: FOOTBALL FIXTURE LISTS AS LEGALLY PROTECTED DATABASES?

In Football Dataco & Others v Yahoo! UK Ltd & Others, the Court of Appeal has referred to the ECJ questions on the interpretation of Directive 96/9 on the Legal Protection of Databases. Its principle question was: what is meant by “databases which, by reason of the selection or arrangement of their contents constitute the author’s own intellectual creation”?

The databases in question comprised football fixture lists in the English and Scottish leagues. The defendant used these without paying the claimant (an organiser of football fixtures). The claimant contended that, by arrangement of its contents, the fixture list became its “own intellectual creation”, thereby attracting the Directive’s protection. The defendant’s stance was that these lists did not attract such protection, because they were merely the fruits of “sweat of the brow” – in other words, compilation, but not creation.

The Court of Appeal observed that the ECJ’s answers to its questions had wide implications for the legal protection not only of sports fixture lists, but possibly also of TV listings, which required comparable energy and skill to compile.

ICO’S SURVEILLANCE REPORT 2010: ‘SLEEPWALKING’ RISK REMAINS; ‘PRIVACY IMPACT ASSESSMENTS’ PROPOSED FOR NEW LEGISLATION

The Information Commissioner has delivered his latest report to the Home Affairs Select Committee on “the state of surveillance” in the UK. The report traces privacy-related developments since the Commissioner’s 2006 report on the same theme, which memorably observed that the UK may be “sleepwalking into a surveillance society”. According to the November 2010 report, that warning

 “… is no less cogent in 2010 than it was several years ago. It is not being suggested that the UK is a ‘police state’ or that there are surveillance conspiracies afoot against the public. Neither the 2006 report nor this one supports such an assumption, and evidence for it is lacking. Much of what is taken to be surveillance is done for benign reasons and has beneficial effects on individuals and society. But much surveillance also goes beyond the limits of what is tolerable in a society based on the rule of law and human rights, one of which is the right to privacy.”

The report provides an illuminating summary of trends in (amongst others) the use of CCTV, body scanning and border control (including ‘ethnic targeting’ for security searches), workplace monitoring, social networking, ‘crowdsourcing’, the monitoring of protest activities and even the use of unmanned drones. Scrutiny is also given to a number of governmental policy tools, such as databases and the use of ‘social sorting’ (eg into groups such as ‘high cost, high risk’ social groups who are vulnerable to social exclusion’) to develop targeted welfare strategies.

As regards private-sector online commerce, the Commissioner recommends a number of measures to correct what he describes as the “worrying trend particularly with those who provide on-line services not to have thought through the privacy implications of their activities and given users robust privacy settings as a default”.

What to do about the risks identified in the report? The ICO’s recommendations focus principally on overhauling the legislative process insofar as it affects privacy, by introducing: 

  • a requirement for a privacy impact assessment to be presented during the parliamentary process where legislative measures have a particular impact on privacy;
  • an opportunity for the Information Commissioner to provide a reasoned opinion to Parliament on measures that engage concerns within his areas of competence, and
  • a legal requirement to make sure all new laws that engage significant privacy concerns undergo post-legislative scrutiny to ensure they are being implemented and used as intended by Parliament.

If implemented, these measures would add substantially to the ICO’s clout as the guardian of privacy.

The report can be found here, with the accompanying press release from the ICO here.

WATCH THIS SPACE

The Coalition’s Programme for Government contains a great deal that is of interest to information lawyers: see here.  But when and how will any of this be given legislative effect?

The Queen’s Speech was delivered on 25th May 2010. The website of the Prime Minister’s office gives a list of the proposed Bills , with further information about each one. Three of the proposed Bills have potential implications for information law.

(i) The Public Bodies (Reform) Bill will enhance the transparency and accountability of quangos: though it is not clear as yet whether enhanced information access rights will play a role in this.

(ii) The Decentralisation and Localism Bill will (among other matters) require public bodies to publish online the job titles of every member of staff and the salaries and expenses of senior officials.

(iii) The Freedom (Great Repeal) Bill is intended to cover a wide range of subjects, to be announced in due course: it may include an extension to the scope of FOIA, and also various provisions in relation privacy (e.g. relating to CCTV cameras, and the DNA database).

Of these Bills, it is the third that is likely to be much the most significant. 

PATIENT INFORMATION – MADE FOR SHARING?

Sharing patient information in the NHS has proved highly controversial.  We posted about this subject here a while back.  Now there’s a new report from UCL researchers, suggesting that two key recent NHS IT programmes for handling patient information have so far delivered only modest benefits.   A short summary appears here, with links to the executive summary and the full report.  A research paper based on the findings has been published in the BMJ.

The three year UCL project looked at the Summary Care Record (SCR) and at Healthspace, both introduced as part of the NHS National Programme for IT. 

The SCR is an electronic summary of key health data, taken from GP records and other sources, and available to a range of NHS staff.   According to the UCL report, very few people had chosen to opt out; less than 1% of those who had been sent the relevant information.  But SCRs were not yet widely used; even where available, they were only accessed in 21% of clinical encounters.  So far there was little evidence that SCRs improved patient safety or reduced consultation length or hospital admissions.

HealthSpace is a tool that allows patients to update their own health information, plan healthcare appointments, and contact their GP via a secure internet connection.  So far, take up has been very low.  According to the UCL study only one person in 200 who was invited to open a basic account did so, and only one in 1000 opened an advanced account.

The report’s lead author, Professor Greenhalgh, is quoted as saying:  “This reseach shows that the significant benefits anticipated for these programmes have, by and large, yet to be realised – and that they may be acheived only at high cost and enormous effort … It serves to demonstrate the wider dilemma of national databases:  that scaling things up doesn’t necessarily make them more efficient or effective.”