Heading off the FOIA equivalent of a zombie apocalpyse, the Upper Tribunal has driven a stake through the heart of the contention (long presumed dead) that the public interest in a FOIA request is to be assessed at a time other than when the public authority first refused the request.
Tag: personal data
Personal data and politicians’ names
Can the name of a local councillor who has defaulted on Council tax properly be withheld from disclosure under the exemption for personal data in s.40 FOIA? That was the issue for the Upper Tribunal (“UT”) in Haslam v (1) Information Commissioner (2) Bolton Council [2016] UKUT 0139 (AAC), 10 March 2016. Mr Haslam, a journalist on the Bolton News, had submitted a FOIA request to Bolton Council for disclosure of names of councillors who had received reminders for non-payment of Council tax since May 2011. The Council refused to name names, citing the exemption in s.40 FOIA. The Information Commissioner and First-Tier Tribunal (“FTT”) upheld the Council’s decision. The UT (Judge Markus QC) has now reversed the FTT’s decision, and held that the name of the individual councillor concerned should be released.
The UT held that releasing the name would not contravene the data protection principles, because processing was necessary for the purposes of legitimate interests pursued by Mr Haslam, and was not unwarranted because of prejudice to the councillor’s rights/legitimate interests. In substance, this involved carrying out an Article 8/Article 10 ECHR balancing exercise. It is apparent from the UT’s decision that the critical element in that balancing exercise was the councillor’s status as an elected official with public responsibilities, to which non-payment of council tax was directly and significantly relevant. In particular, a councillor is barred from voting on the Council’s budget if he has an outstanding council tax debt of over two months. So Council tax default, per the UT, “strikes at the heart of the performance of a councillor’s functions”. Voters would want to know whether the councillor was carrying out his duties. That in turn meant that (i) a councillor could not have any expectation that his name would be withheld, even if his identification intruded significantly into his private life; and (ii) on the other side of the balance, there was a compelling legitimate interest in the public knowing his name. Judge Markus QC said that there might be exceptional cases in which the personal circumstances of a councillor were “so compelling” that their name should be protected; but these were not such circumstances – even though disclosure might cause some distress to the councillor, and damage to his reputation. In short, elected officials are not in the same position as other members of the public when it comes to disclosure of their names. They can expect their names to be disclosed in circumstances where ordinary members of the public might expect the opposite.
Two other points of interest arise from the decision:
- The UT said that the relevant “legitimate interests” of the third party to whom data is disclosed were the interests of the requester, not the public at large. The fact that FOIA, in general, is “motive-blind”, and disclosure under FOIA is to the world, did not mean that the “third party” in question had to be treated as if it were the public as a whole, rather than the requester. However, in the present case, that made no practical difference, because Mr Haslam was a journalist, and his own interests elided with those of the public.
- The issue arose whether Mr Haslam should receive a gist of the closed material in the case. The closed material concerned the personal mitigating circumstances of the councillor in question. The UT applied the principle in Browning v Information Commissioner [2014] 1 WLR 3848 that information should not be withheld unless strictly necessary; but considered that nevertheless, it was not possible to provide a gist. Giving a gist would materially increase the risk of the councillor being identified, and that would defeat the purpose of the appeal.
Anya Proops QC of 11KBW acted pro bono for Mr Haslam; Robin Hopkins of 11KBW for the Information Commissioner, and Christopher Knight of 11KBW for the Council.
Refusing a subject access request: proportionality, anxious scrutiny and judicial discretion
Zaw Lin and Wai Phyo v Commissioner of Police for the Metropolis [2015] EWHC 2484 (QB), a judgment of Green J handed down today, is an interesting – if somewhat fact-specific – contribution to the burgeoning body of case law on how subject access requests (SARs) made under the Data Protection Act 1998 (DPA) should be approached, both by data controllers and by courts.
The Claimants are on trial in Thailand for the murder in September 2014 of British tourists Hannah Witheridge and David Miller. They could face the death penalty if convicted.
Under the Police Act 1996, and following high-level discussions (including at Prime Ministerial level), it was agreed that the Metropolitan Police Service (MPS) would send an officer to observe and review – but not assist with – the Thai police investigation. The MPS compiled a detailed Report. They agreed to keep this confidential, except that it could be summarised verbally to the families of the victims so as to reassure about the state of the investigation and proceedings. The Report has never been provided to the families or the Thai authorities.
The Claimants made SARs, seeking disclosure of the MPS’ Report. Green J summarised their objectives as follows (para 29):
“The Claimants have endeavoured to clothe their arguments in the somewhat technical language of the DPA. It seems to me that the bottom line of these arguments, stripped bare of technical garb, can be put in two ways. First, the views of the MPS carry weight. Scotland Yard has an international reputation. If the Report is seen as favourable to the prosecution and contains material supportive of the RTP [Royal Thai Police] investigation (which is in effect how the Claimants say it has been presented in public by the families) then they should have the right to see the personal data so they can correct any misapprehensions. Secondly, that in any event they should be able to use any personal data which is favourable to their defence.”
The Claimants were entitled to request disclosure of at least some of the contents of the Report, though Green J estimated that only a small percentage of its contents constituted their personal data (para 25).
The MPS refused the SARs, relying on the exemption for crime and taxation under section 29 DPA.
In determining the claim under section 7(9) DPA, Green J considered arguments as to the applicability (or not) of Directive 95/46/EC (which contains exceptions for criminal matters: see Articles 3 and 13) and the European Convention on Human Rights. His view was that not much turned on these points here (para 49). At common law, the court’s scrutiny must always be fact- and context-specific. In a life-and-death context, anxious scrutiny would be applied to a data controller’s refusal. See para 69:
“… when construing the DPA 1998 (whether through common law or European eyes) decision makers and courts must have regard to all relevant fundamental rights that arise when balancing the interest of the State and those of the individual. There are no artificial limits to be placed on the exercise.”
Green J expressed his discomfort about the application of section 15(2) DPA, which allows the court – but not the data subject – to view the withheld information. This, together with the prospect of a closed session, raised concerns as to natural and open justice. Given the expedited nature of the case before him, it was not appropriate to appoint a special advocate, but that may need to be considered in future cases where the stakes are very high. Green J proceeded by asking questions and hearing submissions on an open basis in a sufficiently generic and abstract way.
In expressing those procedural misgivings, Green J has touched on an important aspect of DPA litigation which has received little attention to date.
He also took a narrower view of the breadth of his discretion under section 7(9) DPA than has often been assumed. At para 98, he said this of the ‘general and untrammelled’ nature of that judicial discretion:
“If Parliament had intended to confer such a broad residual discretion on the court then, in my view, it would have used far more specific language in section 7(9) than in fact it did. In any event I do not understand the observations in the authorities referred to above to suggest that if I find that the MPS has erred that I should simply make up and then apply whatever test I see fit. If I find an error on the part of the MPS such that I must form my own view then I should do in accordance with the principles set out in the DPA 1998 and taking account of the relevant background principles in the Directive and the Convention. My discretion is unfettered by the decision that has gone before, and which I find unlawful, but I cannot depart from Parliament’s intent.”
Such an approach to section 7(9) could make a material difference to litigation concerning SARs.
Green J then set out and determined the issues before him as follows:
Issue I: Who has the burden of proof of proving both the right to invoke the exemption? What is the standard of proof?
Following R (Lord) v Secretary of State of the Home Department [2003] EWHC 2073 (Admin), the answer is that the data controller bears the burden. “The burden of proof is thus upon the MPS in this case to show its entitlement to refuse access and it must do this with significant and weighty grounds and evidence” (para 85).
Issue II: Was the personal data in the MPS report “processed” for purposes of (a) the prevention or detection of crime or (b) the apprehension or prosecution of offenders?
Green J’s answer was yes. Although the purposes behind the Report differed from the usual policing context, there should be no artificially narrow interpretation of the ‘prevention and detection of crime/apprehension or prosecution of offenders’.
Issue III: Would granting access be likely to prejudice any of those purposes?
This required a balancing exercise to be performed between the individual’s right to access and the interests being pursued by the data controller in refusing disclosure. This called for a “classic proportionality balancing exercise to be performed” (para 78).
Here, the starting point was the Claimant’s prima facie right to the personal data. This was bolstered by the life-and-death context of the present case.
The MPS’ refusal, however, pursued legitimate and weighty objectives. In assessing those objectives, it was relevant to consider what precedent would be set by disclosure: the “focus of attention was not just on the facts of the instant case but could also take account of the impact on other cases” (as per Lord).
On that basis, and in light of the evidence, the MPS’ ‘chilling effect’ argument was powerful. See para 107:
“… I accept their judgment and opinion as to the risks that release of the Report would give rise to and in particular, their position on: the considerable benefit to the public interest (in relation to crime enforcement and public security) generally in the MPS (and other relevant police authorities) being able to engage with foreign authorities; the high importance that is attached by foreign authorities to confidentiality; and the risk that not being able to give strong assurances as to confidentiality would pose to the ability of the MPS and others to enter into meaningful working relationship with such overseas authorities.”
It was also important to avoid any potential interference with a criminal trial in a foreign country.
The Claimants’ SARs were not made for any improper purposes, i.e. for purposes other than those which Directive 95/46/EC sought to further. In that respect, the present case was wholly unlike Durant.
The balancing exercise, however, favoured the MPS. Having considered each item of personal data, Green J said his “ultimate conclusion is that there is nothing in the personal data which would be of any real value to the Claimants” (para 125). He expressed his unease with both the procedure and the outcome. Permission to appeal was granted, though Panopticon understands that an appeal is not being pursued by the Claimants.
Anya Proops and Christopher Knight acted for the Defendant.
Robin Hopkins @hopkinsrobin
How to apply the DPA
Section 40 of FOIA is where the Freedom of Information Act (mantra: disclose, please) intersects with the Data Protection Act 1998 (mantra: be careful how you process/disclose, please).
When it comes to requests for the disclosure of personal data under FOIA, the DPA condition most commonly relied upon to justify showing the world the personal data of a living individual is condition 6(1) from Schedule 2:
The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
That condition has multiple elements. What do they mean, and how do they mesh together? In Goldsmith International Business School v IC and Home Office (GIA/1643/2014), the Upper Tribunal (Judge Wikeley) has given its view. See here Goldsmiths. This comes in the form of its endorsement of the following 8 propositions (submitted by the ICO, represented by 11KBW’s Chris Knight).
Proposition 1: Condition 6(1) of Schedule 2 to the DPA requires three questions to be asked:
(i) Is the data controller or the third party or parties to whom the data are disclosed pursuing a legitimate interest or interests?
(ii) Is the processing involved necessary for the purposes of those interests?
(iii) Is the processing unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?
Proposition 2: The test of “necessity” under stage (ii) must be met before the balancing test under stage (iii) is applied.
Proposition 3: “Necessity” carries its ordinary English meaning, being more than desirable but less than indispensable or absolute necessity.
Proposition 4: Accordingly the test is one of “reasonable necessity”, reflecting the European jurisprudence on proportionality, although this may not add much to the ordinary English meaning of the term.
Proposition 5: The test of reasonable necessity itself involves the consideration of alternative measures, and so “a measure would not be necessary if the legitimate aim could be achieved by something less”; accordingly, the measure must be the “least restrictive” means of achieving the legitimate aim in question.
Proposition 6: Where no Article 8 privacy rights are in issue, the question posed under Proposition 1 can be resolved at the necessity stage, i.e. at stage (ii) of the three-part test.
Proposition 7: Where Article 8 privacy rights are in issue, the question posed under Proposition 1 can only be resolved after considering the excessive interference question posted by stage (iii).
The UT also added this proposition 8, confirming that the oft-cited cases on condition 6(1) were consistent with each other (proposition 8: The Supreme Court in South Lanarkshire did not purport to suggest a test which is any different to that adopted by the Information Tribunal in Corporate Officer).
Those who are called upon to apply condition 6(1) will no doubt take helpful practical guidance from that checklist of propositions.
Robin Hopkins @hopkinsrobin
Campaigning journalism is still journalism: Global Witness and s.32 DPA
In an important development in the on-going saga of Steinmetz and others v Global Witness, the ICO has decided that the campaigning NGO is able to rely on the ‘journalism’ exemption under s.32 of the Data Protection Act 1998 (DPA).
The decision has major implications for journalists working both within and outside the mainstream media, not least because it makes clear that those engaged in campaigning journalism can potentially pray in aid the s. 32 exemption. Importantly, it also confirms that the Article 10 right to freedom of expression remains a significant right within the data protection field, notwithstanding recent developments, including Leveson and Google Spain, which have tended to place privacy rights centre-stage (Panopticons passim, maybe even ad nauseam).
Loyal readers will be familiar with the background to the Global Witness case, for which see original post by Jason Coppel QC.
In brief: Global Witness is an NGO which reports and campaigns on natural resource related corruption around the world. Global Witness is one of a number of organisations which has been reporting on allegations that a particular company, BSG Resources Ltd (“BSGR”), secured a major mining concession in Guinea through corrupt means. A number of individuals who are all in some way connected with BSGR (including Benny Steinmetz, reported to be its founder) brought claims against Global Witness under the DPA. The claims included a claim under s. 7 (failure to respond to subject access requests); s. 10 (obligation to cease processing in response to a damage and distress notification); s. 13 (claim for compensation for breach of the data protection principles) and s. 14 (claim for rectification of inaccurate data). Significantly, Mr Steinmetz alleged, amongst other things, that because he was personally so closely connected to BSGR, any information about BSGR amounted to his own personal data. If successful, the claims would have the effect of preventing Global Witness from investigating or publishing further reports on the Guinea corruption controversy.
Global Witness’s primary line of defence in the High Court proceedings was that all of the claims were misconceived because it was protected by the ‘journalism’ exemption provided for by s. 32 of the DPA. After a procedural spat in March (Panopticon report here), Global Witness’s application for a stay of the claims under s. 32(4) DPA was allowed by the High Court. The matter was then passed to the ICO for a possible determination under s.45 DPA. (In summary, such a determination will be made if the ICO concludes, against the data controller, either: (a) that the data controller is not processing the personal data only for the purposes of journalism or (b) it is not processing the data with a view to future publication of journalistic material).
In fact, the ICO declined to make a determination under s. 45. Moreover, he decided that, with respect to the subject access requests made by the claimants, Global Witness had been entitled to rely on the exemption afforded under s. 32. With respect to the latter conclusion, the ICO held that there were four questions which fell to be considered:
(1) whether the personal data is processed only for journalism, art or literature (s.32(1))
When dealing with this question, the ICO referred to his recent guidance Data Protection and journalism: a guide for the media, in which he accepted that non-media organisations could rely on the s.32 exemption, provided that the specific data in question were processed solely with a view to publishing information, opinions or ideas for general public consumption (p.30). He went on to conclude that this requirement could be met even where the publication is part of a wider campaign, provided that the data is not also used directly for the organisation’s other purposes (e.g. research or selling services). The ICO was satisfied that this condition was met for the data in question.
(2) whether that processing is taking place with a view to publication of some material (s.32(1)(a))
It is apparent from the decision letter that Global Witness was able to point to articles it had already published on the Simandou controversy, and since the controversy was on-going, to show it intended to publish more such articles. The ICO was satisfied that, in the circumstances, this second question should be answered in the affirmative.
(3) whether the data controller has a reasonable belief that publication is in the public interest (s.32(1)(b))
The ICO emphasised that the question he had to ask himself was not whether, judged objectively, the publication was in the public interest, but rather whether Global Witness reasonably believed publication was in the public interest. In the circumstances of this case – small NGO shines a spotlight on activities of large multinational in one of the world’s poorest countries amid allegations of serious corruption – he readily accepted that Global Witness held such a belief, particularly as the data related to the data subjects’ professional activities, for which they in any event had a lower expectation of privacy than in relation to their private lives.
(4) whether the data controller has a reasonable belief that compliance is incompatible with journalism. (s.32(1)(c))
Again, the focus here was on Global Witness’ reasonable beliefs. The ICO accepted that Global Witness had reasonable concerns that complying with the subject access requests which had been made by the claimants would prejudice its journalistic activity in two ways:, first, by giving the data subjects advance warning of the nature and direction of Global Witness’ investigations, which could be used to thwarting effect and, second, by creating an environment in which the organisation’s sources might lose confidence in Global Witness’ ability to protect their identities.
The decision will no doubt substantially reassure campaigning and investigative journalists everywhere. Unsurprisingly, it has been widely reported in the media (see e.g. Guardian article, Times article and FT article here). Notably, the FT reports that the claimants are asserting that they intend to challenge the decision. We will have to wait until the New Year to discover whether these assertions translate into action and, if they do translate into action, what form that action will take.
Anya Proops of 11KBW acts for Global Witness.
Peter Lockley
Loss of personal data: £20k award upheld on appeal
If you breach your legal duties as regards personal data in your control, what might you expect to pay by way of compensation to the affected individual? The received wisdom has tended to be something along these lines. First, has the individual suffered any financial loss? If not, they are not entitled to a penny under s. 13 DPA. Second, even if they get across that hurdle, how much should they get for distress? Generally, not very much – reported awards have tended to be very low (in the low thousands at most).
All of that is very comforting for data controllers who run into difficulties.
That picture is, however, increasingly questionable. “Damage” (the precondition for any award, under s. 13 DPA) could mean something other than “financial loss” – other sorts of damage (even a nominal sort of damage) can, it seems, serve as the trigger. Also, provided the evidence is sufficiently persuasive, it seems that awards – whether under the DPA or at common law (negligence) – could actually be substantial.
These trends are evident in the judgment of the Court of Appeal of Northern Ireland in CR19 v Chief Constable of the Police Service of Northern Ireland [2014] NICA 54.
The appellant, referred to as CR19, was a police officer with the Royal Ulster Constabulary. Due to his exposure to some serious terrorist incidents, he developed Post-Traumatic Stress Disorder (PTSD); he also developed a habit of excessive alcohol consumption. He left the Constabulary in 2001. In 2002, there was a burglary at Castlereagh Police, apparently carried out on behalf of a terrorist organisation. Data and records on officers including CR19 were stolen.
The Constabulary admitted both negligence and a breach of the seventh data protection principle (failure to take appropriate technical and organisational measures). The issue at trial was the amount of compensation to which CR19 was entitled.
Note the losses for which CR19 sought compensation: he claimed that, as a result of the stress which that data loss incident caused him, his PTSD and alcohol problems worsened, he lost out on an employment opportunity and that his house had been devalued as a result of threats to the property and the package of security measures that had been implemented for protection.
The trial judge heard evidence from a number of parties, including medical experts on both sides. He found some aspects of CR19’s evidence unsatisfactory. Overall, however, he awarded CR19 £20,000 (plus interest) for the Constabulary’s negligence. He did not expressly deal with any award under s. 13 of the DPA.
CR19 appealed, saying the award was too low. His appeal was largely dismissed: the trial judge had been entitled to reach his conclusions on the evidence before him.
Further, the s. 13 DPA claim added nothing to the quantum. The Court of Appeal considered the cases of Halliday (a £750 award) and AB (£2,250) (both reported on Panopticon) and concluded as follows (para. 24):
“In this case we have earlier recorded that three eminent psychiatrists gave professional evidence as to the distress sustained by CR19 as a consequence of the break-in. While accepting that the breach and its consequences in this case are of a different order to the matters considered in Halliday or AB, we conclude that the damages for distress arising from the breach of the Data Protection Act must be considered to be subsumed into the judge’s award which, while rejected as too low by the appellant, was by no means an insignificant award. The assessment took account of the distress engendered by the breach of data protection. We cannot conceive of any additional evidence that might be relevant to any additional damages for distress in respect of breach of section 4. Accordingly, we affirm the award of compensation made by the learned trial judge. However, in view of Arden LJ’s reasoning in Halliday, we conclude that the appellant must in addition be entitled to nominal damages of £1.00 to reflect the fact that there was an admitted breach of section 4 of the Data Protection Act.”
Whilst it is not strictly correct to read the CR19 judgment as affirming a DPA award for £20,000 (that award was for negligence), the judgment is nonetheless interesting from a DPA perspective in a number of respects, including these:
(i) While it was conceded in Halliday that nominal damage suffices as “damage” for s. 13(1) purposes, that conclusion looks like it is being applied more widely.
(ii) One problem in Halliday (and to an extent also in AB) was the lack of cogent evidence supporting the alleged damage. The CR19 case illustrates how evidence, including expert medical evidence, can be deployed to effect in data breach cases (whether based on negligence or on the DPA).
(iii) Unlawful acts with respect to individuals’ personal information can, it seems, lead one way or another to a substantial award. The DPA may aim to offer relatively modest awards (so said the Court of Appeal in Halliday), but serious misuse or loss of personal data can nonetheless be very damaging, and the law will recognise and compensate for this where appropriate.
Robin Hopkins @hopkinsrobin