“SANDSTORM” PERSONAL DATA AND THE BCCI COLLAPSE

The Tribunal’s recent decision in Sikka v IC and HMT (EA/2010/0054) is a good illustration of how FOIA exemptions (here concerning prejudice to international relations and personal data) may be trumped by the overwhelming interest in the public being informed about corporate wrongdoing on a massive scale – including the public knowing the names of those involved in that wrongdoing. Some topical resonance perhaps.

It is also another useful illustration of how personal data should not be assessed on a “one size fits all” basis, but should (where appropriate) be analysed by category. In other words, distinguish between, for example, companies, senior management, employees and customers.

Background

In March 1991, the Bank of England instructed Price Waterhouse to undertake an audit of The Bank of Credit and Commerce International. Price Waterhouse submitted a draft of its report, known as the “Sandstorm” report. The report was never finalised, but the Bank of England relied on the draft to justify its decision to order BCCI immediately to close down its activities in the UK. That led to the collapse of BCCI into insolvency, owing creditors around the world something in the region of US$10 billion.

By the time of the request for a copy of this report (March 2006), an almost complete copy of the Sandstorm Report had been published on the internet, even though it had never been formally published by the Bank of England, albeit with certain names redacted and certain sections missing. The Bank of England relied upon section 40(2) (personal data) and section 27(1)(a) (prejudice to international relations) in refusing to disclose this remaining information. The Commissioner agreed. For the most part, the Tribunal did not.

Prejudice to international relations

The Tribunal agreed that section 27(1)(a) was engaged, but decided that the public interest favoured disclosure. At paragraph 31, it said this:

“Although the material proposed to be redacted under this exemption comprises just a few sentences in a 44 page report, it does contribute a very relevant element to the story as a whole. And we do not think that the public interest is materially reduced by the appearance of much of the same information in other published reports. The public has an interest in seeing how each of those who carried out an investigation illuminated the facts and assessed the actions of those who were involved, whether they contributed to the problems, tried to resolve them or played a neutral role. The weight we apply to this element of public interest has been heavily influenced by our view of the importance of the events surrounding the collapse of BCCI, the serious ramifications it had for many innocent people caught up in it and the questions it raised about the regulation and auditing of a large international institution.”

Personal data

A number of categories of allegedly personal data were identified. An interesting category was the names of companies, from which it was argued that individuals could be identified. The Tribunal was not persuaded by the evidence as to the risk of identifiability.

In any event, as regards senior management, it took the view that “those having [such] positions in either BCCI or other organisations that were closely involved in the unlawful elements of its activities should be identified”, given the seriousness of the issue.

The Commissioner had decided that the names of employees should not be disclosed, whether or not their involvement with BCCI had previously been raised in the course of criminal proceedings. He argued as follows. If they had been convicted, it might be unfair to raise their involvement again some 15 years or more after the event. If they were acquitted, or faced no criminal action, there would be unfairness in blighting future employment prospects by disclosing, in 2007, their involvement with BCCI some years previously. The Tribunal disagreed in part. Its view was that the question of disclosure in these circumstances should turn on the seniority of the employee. At paragraph 44, it said this:

“As regards the potential impact on future employment prospects of those who were acquitted or never prosecuted, we believe that any truthful job application and curriculum vitae will, in any event, include mention of time spent in the employment of BCCI. We do not think that those individuals mentioned in the confidential schedule, whose names we say should be disclosed, should be encouraged to omit or misrepresent this part of their career history, given the criticism voiced in the Sandstorm Report and the importance of employee competence and honesty to future employers in the banking sector.”

As regards the personal data of BCCI customers, the Tribunal distinguished between those whose hands were clean with respect to the BCCI fraud (do not disclose) and those whose hands were not (disclose).

Much turned on the gravity and public profile of the BCCI collapse. In these circumstances, the Tribunal found that information aired in a public trial was likely to remain in the public domain (contrast Armstrong v IC and HMRC (EA/2008/0026)), and that the passage of time undermined rather than strengthened the argument in favour of individual privacy.

Robin Hopkins

PERSONAL DATA: CRUCIAL POINTS FROM THE ‘ABORTION STATISTICS’ CASE

Judgment in Department of Health v IC [2011] EWHC 1430 (Admin) – the ‘abortion statistics’ appeal – was handed down on 20 April this year. Cranston J’s judgment has now been made available. The following salient points from that judgment may be of use to those interested in the concept and extent of ‘personal data’ under s. 40 FOIA and the DPA – especially when looking at the grey area of statistics or other anonymous data which is rooted in or derived from other data which is more overtly personal. The judgment is also essential reading for anyone grappling with the application of the leading House of Lords decision on this subject, Common Services Agency v Scottish Information Commissioner [2008] UKHL47, [2008] 1 WLR 1550 (‘CSA’). (‘Grappling’ is probably apt: even Cranston J conceded that “it would be wrong to pretend that the interpretation of the CSA case is an easy matter”).

Briefly by way of background: the Department refused a request for detailed statistics on the number of late-term abortions carried out on prescribed grounds. It relied on s. 40 FOIA, basing its case on the risk that, given the ‘low cell counts’ in these categories, the relevant patients and/or doctors might be identified by those sufficiently motivated to do so. The Commissioner found that these statistics were not personal data. The Information Tribunal agreed with the Department that they did constitute personal data, but was not satisfied that s. 40 was effective, as there was insufficient risk of identification.

On the Department’s appeal to the High Court, Cranston J agreed with the Commissioner that these statistics are not personal data.

One route to that conclusion was that advocated by the Commissioner, namely to adopt the approach of Baroness Hale in CSA: anonymised statistics remain personal data and therefore subject to the protection of the DPA in the hands of the data controller (who possesses the underlying data from which individuals could be identified) but not in the hands of the general public (who do not). This approach commended itself to the Upper Tribunal in the recent case of All Parliamentary Group on Extraordinary Rendition v Information Commissioner [2011] UKUT 153 AAC (on which, see my post here).

Cranston J, however, rejected that route, as it was the reasoning of Lord Hope rather than Baroness Hale in CSA which had attracted the majority’s support in that case. Lord Hope’s approach can be paraphrased as follows. The definition of personal data under s. 1 DPA provides for two means of identification: either from the data itself (inapplicable in the case of anonymous statistics) or from “from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”. Lord Hope’s approach to situations such as this is to ask: does the ‘other information’ (if provided to the hypothetical member of the public) add anything to the statistics which would enable them to identify the underlying individuals? If the answer is no, the statistics are not personal data. The underlined words are important: if identification can be achieved from the ‘other information’ in isolation (rather than when added to the statistics) then the statistics themselves are truly anonymous, and are not personal data. The statistics in this case failed Lord Hope’s test, and were thus not personal data.

Cranston J’s conclusion was that the Tribunal had been correct to conclude that the data was ‘truly anonymised’ – but it had erred in treating this as personal data which had been truly anonymised. The Department contended that, because it held the underlying identification data, the abortion statistics remained personal data in all circumstances. Cranston J rejected this submission, stating that:

“If that were the case, any publication would amount to the processing of sensitive personal data…  Thus, the statistic that 100,000 women had an abortion in a particular year would constitute personal data about each of those women, provided that the body that publishes this statistic has access to information which would enable it to identify each of them.  That is not a sensible result and would seriously inhibit the ability of healthcare organisations and other bodies to publish medical statistics”.

In going on to dismiss the Department’s other grounds of appeal, Cranston J made a number of other points of general application. For example, in rejecting the criticism that the Tribunal had failed adequately to engage with the Department’s expert evidence, Cranston J said this:

“To begin, the issue before the Tribunal was one of assessment: the likelihood that a living individual could be identified from the statistics.  That was in my judgment only partly a question of statistical expertise, as regards matters such as the sensitivity of the data.  Partly, also, it was a matter of assessing a range of every day factors, such as the likelihood that particular groups, such as campaigners, and the press, will seek out information of identity and the types of other information, already in the public domain, which could inform the search.  These are factors which the Tribunal was in as good a position to evaluate as the statistical experts, a point which one of the Department of Health’s experts conceded.  The analysis also applies to the evidence of senior civil servants.”

As regards the Department’s contentions that conditions from Schedules 2 and 3 of the DPA were not met, their points were “wounding” to the Tribunal’s judgment, but not “fatal”, in light of the evidence at the Tribunal hearing. Finally, Cranston J described the Department’s argument based on Article 8 ECHR as “very much a jury argument”.

Interestingly, on the same day as judgment was given in this case, the High Court (Kenneth Parker J) gave judgment in R (BT & Anor) v The Secretary of State for Business, Innovation and Skills [2011] EWHC 1021 (Admin)  – BT’s unsuccessful application for judicial review of the Digital Economy Act 2010 (on which, see my piece here). One of the grounds of challenge was alleged non-compliance with the Data Protection Directive. In that judgment, IP addresses (anonymous strings of numbers linked to internet subscribers’ accounts) were treated as personal data even in the hands of copyright owners who possessed only those IP addresses. This was by application of the definition of personal data under the Directive: here copyright owners were deemed likely to come into possession of the underlying personal data when taking legal action against the individual internet subscribers who downloaded content in breach of copyright. This conclusion was reached independently of the Lord Hope test. Note, however, that it seems from the judgment that this question – are IP addresses always personal data or not – was not argued in full before Kenneth Parker J. There is talk of a potential appeal, so the application of these principles to IP addresses might be considered in the courts again before too long.

Robin Hopkins

PERSONAL DATA, REPEAT AND VEXATIOUS REQUESTS AND INVESTIGATIONS

In Jeffery Lampert v IC and Financial Services Authority EA/2010/0203, the appellant was involved in a long running dispute with a bank, which had called on his guarantee of a loan and commenced bankruptcy proceedings against him. His MP had raised the matter with the FSA and the appellant believed that this had led to at least one investigation of the bank. The appellant subsequently made a freedom of information request for information held by the FSA recording the outcome of investigations into the bank about the matter and the calculation of the bank’s loss. The Information Commissioner found that any information falling within the scope of the request was the appllant’s personal data and therefore absolutely exempt from disclosure under FOIA. The First-Tier Tribunal found that:

  • there had been no investigation by the FSA of the bank and there was no document in existence which contained a calculation of the bank’s loss;
  • any information falling within the scope of the request would not have been the appellant’s personal data; applying Durantthe Commissioner was wrong to decide, in effect, that, merely because the information requested arose from the appellant’s complaints, it all constituted his personal data;
  • the FSA was entitled to rely on section 14(1) FOIA, in that this was a repeat request and a reasonable interval had not elapsed since the previous substantially similar request; and, further
  • there was ample material from which it could be found that the appellant’s request was vexatious.

In Public Prosecution Service for Northern Ireland v IC and John Collins EA/2010/0109, Mr Collins requested the PPS documentation (excluding names and addresses) relating to a particular criminal damage case. It was not in dispute that section 30(1) FOIA was engaged and the only issue for the First-Tier Tribunal was whether the public interest in maintaining the exemption outweighed the public interest in disclosure. The Tribunal accepted that it had to take into account the need for prosecutors to have a safe space in which to decide whether or not a case met the threshold for pursuing a prosecution, without fear of frank assessments being publicised after the event. Eroding this safe space would undermine the independence of prosecution authorities, compromise the quality of decision making, potentially deter witnesses from co-operating and undermine (without good reason) public confidence in those authorities. The Tribunal held that these factors attracted very substantial weight. The Tribunal found, having considered the disputed information, that there was no reason to suspect that the prosecuting authority had made substantial mistakes in this case. The public interest in maintaining the exemption therefore clearly outweighed the public interest in disclosure.

EXTRAORDINARY RENDITION UPPER TRIBUNAL APPEAL: LATE RELIANCE, PERSONAL DATA & OTHER ISSUES

The All Party Parliamentary Group on Extraordinary Rendition (APG) requested information from the Ministry of Defence on (i) memoranda of understanding between the UK and the governments of Iraq, Afghanistan and the USA regarding the treatment of prisoners detained in the conflicts in Iraq and Afghanistan, (ii) a copy of the Detentions Practices Review, (iii) a copy of the UK’s policy on capture and joint transfer, and (iv) statistics on detainees held in Iraq and Afghanistan. The MOD refused the requests, relying on a number of exemptions under FOIA. For the most part, the Commissioner agreed. APG’s appeal was expedited to the Upper Tribunal and heard by Blake J, Andrew Bartlett QC and Rosalind Tatam.

Except as regards request (iii), its appeal has succeeded, to a limited but substantial extent. The Upper Tribunal has ordered disclosure or significantly more information than that ordered by the Commissioner.

Its judgment (available here) is complex. Some of the key points of interest are as follows.

Late reliance

The Upper Tribunal was mindful of the decision of a differently constituted Upper Tribunal in the DEFRA/Brikett appeals, where it was held that public authorities may rely on exemptions as of right at any stage in proceedings. In this case, the Upper Tribunal did not need to decide the issue of late reliance, but it did confess to having “some general concerns” about such an approach, which threatens to “turn the time limit provisions of ss. 10 and 17 almost into dead letters”, and “can also create a strong sense of injustice”. The internal review mechanism provides sufficient time for the public authority to make its mind up; if new points are taken thereafter, “then fairness requires that the requester should be allowed to add to the terms of his complaint under s. 50(1)”.

Cost of compliance under s. 12 FOIA

The Upper Tribunal approved principles from Urmenyi v IC and LB Sutton (EA/2006/0093) concerning the Commissioner’s enquiries into the assumptions behind the public authority’s estimate, and from Roberts v IC (EA/2008/0050) about the activities falling within s. 12 and the reasonableness of estimates.

Late reliance on s. 12 is a different matter to late reliance on exemptions under Part II of FOIA. Delay by a public authority robs the requester of the opportunity to split the request into parts separated by 60 days, thereby avoiding s. 12. The cost exemption “only has meaning if the point is taken early on in the process, before substantial costs are incurred” – it looks at whether costs would exceed, not whether they have been exceeded.

In the present case, the MOD’s estimate was not reasonable because it was based upon a search for a broader class of information than that which was actually requested.

Prejudice to international relations under s. 27 FOIA

The Upper Tribunal was not persuaded that this exemption was effective: “since the maintenance of the rule of law and protection of fundamental rights is known to be a core value of the government of the United Kingdom, it is difficult to see how any responsible government with whom we have friendly relations could take offence at open disclosure of the terms of an agreement or similar practical arrangements to ensure that the law is upheld”.

Legal professional privilege under s. 42 FOIA

This exemption was engaged, and the public interest in favour of disclosure of the UK’s Detention Practices Review did not outweigh the public interest in maintaining the exemption.

Bodies dealing with security matters under s. 23 FOIA

The MOD successfully relied on this exemption – including where it was relied on “late”.

Personal data under s. 40 FOIA and the conditions in Schedule 2 DPA

Information on the dates and locations of individual cases of detention and prisoner transfer would not enable identification of those individuals, and was thus not personal data. If it had been personal data, condition 6(1) from Schedule 2 DPA would have been met.

APG in fact submitted that conditions 4, 5(a), 5(d) and 6(1) would be met by disclosure of statistics on detainees. The MOD submitted that a number of these conditions could not be relied on in the context of a request under FOIA because the public at large (to whom disclosure under FOIA is deemed to be made) cannot fulfil these conditions. The Upper Tribunal disagreed: at least some of these conditions can be fulfilled by a member of the public, and that is sufficient.

APG further relied on s. 35(2) DPA, which provides an exemption from the non-disclosure provisions of the DPA where disclosure is “necessary for the purposes of establishing, exercising or defending legal rights”. The Upper Tribunal confirmed that “establishing” for these purposes had the sense of “vindicating” rather than merely determining what the relevant rights are.

Where data is anonymised, it continues to attract the protection of the data protection principles insofar as it is in the hands of the data controller (who holds the key to identification of the otherwise anonymous data subjects). “But outside the hands of the data controller, the information is no longer personal data, because no individual can be identified… the best analysis is that disclosure of fully anonymised information is not a breach of the [DPA] because at the moment of disclosure the information loses its character as personal data”. The publication of truly anonymised or other “plain vanilla” data therefore does not involve “processing of personal data” for DPA purposes.

Related judgments

On the late reliance issue, permission to appeal to the Court of Appeal is being sought in the DEFRA/Birkett case.

On the s. 40 FOIA issue, the Upper Tribunal’s decision needs to be read in conjunction with the High Court’s decision (also handed down very recently) in the Department of Health’s “abortion statistics” appeal.

TWO HIGH COURT ‘PERSONAL DATA’ JUDGMENTS: DIGITAL ECONOMY ACT 2010 AND ABORTION STATISTICS

The High Court has today handed down two judgments of some significance in the context of personal data.

This morning, Kenneth Parker J gave judgment in the application brought by BT and TalkTalk for judicial review of the Digital Economy Act 2010 (on which, see my earlier discussion here). The Act seeks to combat illegal file-sharing by allowing copyright owners to detect apparently unlawful online activity and report it to the suspect’s internet service provider, who must then warn the suspect against repeat infringements. The claimants contended, among other things, that this regime breached EU data protection law. Their claim failed on this and three other grounds, succeeding only with their fifth ground, which contended that internet service providers should not have to foot 25% of the bill for the regime imposed by the Act. Read the DCMS’ press release here.

This afternoon, Cranston J gave judgment in the “abortion statistics” appeal (on which, see my earlier Panopticon post here). The Information Tribunal had upheld the Commissioner’s decision to order disclosure of “low cell count” statistics as to the number of abortions carried out on specified grounds. Argument had focused on the risk of doctors, and in particular patients being identified. The Department of Health’s appeal to the High Court was dismissed. The judgment represents a notable development in jurisprudence on personal data.

More analysis to follow when these judgments are made available.

SOWING OF GM-CONTAMINATED SEEDS IS NOT AN ‘EMISSION’ FOR THE PURPOSES OF THE EIR

Both the Environmental Information Regulations 2004 (EIR) and the Directive from which it derives (Directive 2003/4/EC) emphasise the importance of permitting the public access to information on ‘emissions’ – see further the fact that a number of the exceptions provided for in the EIR and the Directive are specifically disapplied in the case of emissions information (see r. 12(9) EIR and Art. 4(2) of the Directive). However, one question which is not always easy to answer in practice is what will constitute ‘an emission’ for the purposes of the legislation. In part, this difficulty arises because neither the EIR nor the Directive contains any definition of the word ‘emission’ (although the concept is examined in the Implementation Guide to the Aarhus Convention, which the Directive was itself designed to implement). The question of what will constitute an ‘emission’ for the purposes of the EIR and the Directive was considered for the first time by the Information Tribunal in the case of GM Freeze v IC & DEFRA (EA/2010/0112). In that case, the First Tier Tribunal held (obiter) that the word ‘emission’ did not include the deliberate sowing of genetically-modified seed. The Tribunal’s decision is also worth considering in view of the analysis it contains on the application of the personal data exception provided for in r. 13 EIR.