New CCTV Code of Practice: surveillance and the protection of freedoms

June 17th, 2013 by Robin Hopkins

Surveillance of the covert and digital variety has been dominating the news of late. The legal contours of the practices leaked by Edward Snowden (the NSA’s obtaining of internet metadata) and covered by The Guardian (most recently, GCHQ’s monitoring of certain communications of ‘friendly’ foreign allies) may be matters of some debate.

In the meantime, the legal contours of a more overt and physical variety of surveillance – CCTV – have been somewhat clarified.

Panopticon indeed.

As its name suggests, the Protection of Freedoms Act 2012 expressed the incoming Coalition Government’s commitment to keeping in check the state’s surveillance of ordinary citizens. By that Act (sections 29-36), the Home Secretary was to present to Parliament a Code of Practice governing the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR). Following a consultation exercise – the response to which can be read here – the Home Secretary has now done so. The Code was laid before Parliament on 4 June 2013. A draft order (the Protection of Freedoms Act 2012 (Code of Practice for Surveillance Camera Systems and Specification of Relevant Authorities) Order 2013) is currently being considered by Parliament’s Joint Committee on Statutory Instruments.

Pending its coming into force, Panopticon summarises the key features of the new Code.

To whom does the Code apply?

The Code imposes duties on ‘relevant authorities’, which are those listed at section 33(5) of the Protection of Freedoms Act 2012 – in the main, local authorities and policing authorities.

The draft order proposes to add the following to the list of relevant authorities:

(a) The chief constable of the British Transport Police;

(b) The Serious Organised Crime Agency;

(c) The chief constable of the Civil Nuclear Constabulary; and

(d) The chief constable of the Ministry of Defence Police.

The Code recognises that concern about the use of surveillance cameras often extends beyond these sorts of full-blooded ‘public’ authorities. It recognises that the list of relevant authorities may need to be expanded in future to encompass shopping centres, sports grounds, schools, transport centres and the like.

For now, however, only those listed as ‘relevant authorities’ are subject to the duties imposed by the Code. Others who use such surveillance systems are ‘encouraged’ to abide by the Code.

What duty is imposed by the Code?

The Code imposes a ‘have regard to’ duty. In other words, relevant authorities are required to have regard to the Code when exercising any of the functions to which the Code relates. As regards its legal effects:

“A failure on the part of any person to act in accordance with any provision of this code does not of itself make that person liable to criminal or civil proceedings. This code is, however, admissible in evidence in criminal or civil proceedings, and a court or tribunal may take into account a failure by a relevant authority to have regard to the code in determining a question in any such proceedings” (paragraph 1.16).

It may well be that the Code also weighs heavily with the ICO in its consideration of any complaints about the use of surveillance cameras breaching the DPA 1998.

Remember that the Home Office Code sits alongside and does not replace the ICO’s CCTV Code of Practice.

What types of activity are covered by the new Code?

Relevant authorities must have regard to the Code ‘when exercising any of the functions to which the Code relates’. This encompasses the operation and use of and the processing data derived from surveillance camera systems in public places in England and Wales, regardless of whether there is any live viewing or recording of images and associated data.

The Code does not apply to covert surveillance, as defined under the Regulation of Investigatory Powers Act 2000.

What about third party contractors?

Where a relevant authority instructs or authorises a third party to use surveillance cameras, that third party is not under the ‘have regard to’ duty imposed by the Code. That duty does, however, apply to the relevant authority’s arrangements.

By paragraph 1.11:

“The duty to have regard to this code also applies when a relevant authority uses a third party to discharge relevant functions covered by this code and where it enters into partnership arrangements. Contractual provisions agreed after this code comes into effect with such third party service providers or partners must ensure that contractors are obliged by the terms of the contract to have regard to the code when exercising functions to which the code relates.”

The approach

The guiding philosophy of the Code is one of surveillance by consent:

 “The government considers that wherever overt surveillance in public places is in pursuit of a legitimate aim and meets a pressing need, any such surveillance should be characterised as surveillance by consent, and such consent on the part of the community must be informed consent and not assumed by a system operator…. [legitimacy] in the eyes of the public is based upon a general consensus of support that follows from transparency about their powers, demonstrating integrity in exercising those powers and their accountability for doing so” (paragraph 1.5).

In a nutshell, the expectation is this:

“The decision to use any surveillance camera technology must, therefore, be consistent with a legitimate aim and a pressing need. Such a legitimate aim and pressing need must be articulated clearly and documented as the stated purpose for any deployment. The technical design solution for such a deployment should be proportionate to the stated purpose rather than driven by the availability of funding or technological innovation. Decisions over the most appropriate technology should always take into account its potential to meet the stated purpose without unnecessary interference with the right to privacy and family life. Furthermore, any deployment should not continue for longer than necessary” (paragraph 2.4).

The guiding principles

The Code then sets out 12 guiding principles which systems operators should follow:

(1) Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.

(2) The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.

(3) There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.

(4) There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.

(5) Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.

(6) No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.

(7) Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.

(8) Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.

(9) Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.

(10) There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.

(11) When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.

(12) Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

Points to note

The Code then fleshes out those guiding principles in more detail. Here are some notable points:

Such systems “should not be used for other purposes that would not have justified its establishment in the first place” (paragraph 3.1.3).

“People do, however, have varying and subjective expectations of privacy with one of the variables being situational. Deploying surveillance camera systems in public places where there is a particularly high expectation of privacy, such as toilets or changing rooms, should only be done to address a particularly serious problem that cannot be addressed by less intrusive means” (paragraph 3.2.1).

“Any proposed deployment that includes audio recording in a public place is likely to require a strong justification of necessity to establish its proportionality. There is a strong presumption that a surveillance camera system must not be used to record conversations as this is highly intrusive and unlikely to be justified” (paragraph 3.2.2).

“Any use of facial recognition or other biometric characteristic recognition systems needs to be clearly justified and proportionate in meeting the stated purpose, and be suitably validated. It should always involve human intervention before decisions are taken that affect an individual adversely” (paragraph 3.3.3).

“This [the requirement to publicise as much as possible about the use of a system] is not to imply that the exact location of surveillance cameras should always be disclosed if to do so would be contrary to the interests of law enforcement or national security” (paragraph 3.3.6).

“It is important that there are effective safeguards in place to ensure the forensic integrity of recorded images and information and its usefulness for the purpose for which it is intended to be used. Recorded material should be stored in a way that maintains the integrity of the image and information, with particular importance attached to ensuring that meta data (e.g. time, date and location) is recorded reliably, and compression of data does not reduce its quality” (paragraph 4.12.2).

Enforcement

The Surveillance Camera Commissioner is a statutory appointment made by the Home Secretary under section 34 of the Protection of Freedoms Act 2012. The Commissioner has no enforcement or inspection powers. However, in encouraging compliance with the Code, he “should consider how best to ensure that relevant authorities are aware of their duty to have regard for the Code and how best to encourage its voluntary adoption by other operators of surveillance camera systems” (paragraph 5.3). The Commissioner is/is to be assisted by a non-statutory Advisory Council with its own specialist subgroups.

Given the limited remit of the Surveillance Camera Commissioner, it may be that the Code shows its teeth more effectively in complaints to the ICO and/or the courts.

Robin Hopkins

Tags: , , ,
Posted in INFORMATION LAW | Comments Off on New CCTV Code of Practice: surveillance and the protection of freedoms

Surveillance: RIPA and the Communications Data Bill

May 29th, 2013 by Robin Hopkins

The Communications Data Bill, shelved amid political heavy weather, is back on the agenda in the wake of last week’s Woolwich murder. Today for example, Conservative MP and former policing minister Nick Herbert wrote an article in The Times in support of the Bill and responding to those who have called it a ‘snooper’s charter’.

One of the more detailed critiques of Mr Herbert’s article came from Big Brother Watch. Part of its argument was that the Regulation of Investigatory Powers Act 2000 (RIPA) already provides for necessary surveillance – indeed, RIPA goes further because, unlike the Communications Data Bill, it allows for the actual content of communications to be intercepted in appropriate circumstances

Big Brother Watch’s article noted, however, problems with the use of intercept evidence in criminal trials. As regards the admissibility of surveillance resulting in the recording of conversations however, a very recent Court of Appeal judgment brings good news.

Turner v R [2013] EWCA Crim 642 concerned an appeal against a murder conviction. The evidence included extracts from some 300 hours’ worth of conversations which had been recorded as part of an intrusive surveillance operation authorised under RIPA.

The single ground of appeal against conviction arose from the rejection by Dobbs J of the submission that the indictment should be stayed as an abuse of process arising from the use of intrusive covert surveillance in the appellant’s home; alternatively, that the evidence derived from that surveillance was unfairly admitted in evidence, when it should have been excluded under s.78 of the Police and Criminal Evidence Act 1984.

The Court of Appeal dismissed these arguments. It had particular regard to the importance of respecting legal professional privilege when gathering evidence through covert means.

The Lord Chief Jusitce concluded that (paragraph 28):

“The surveillance was lawful. The relevant disclosure took place. The record of incriminating conversations was unchallenged. We understand that there may be extreme cases in which the prosecuting authorities (using the words in a comprehensive way) may interfere so significantly with the legal privilege of a defendant that the very integrity of the administration of justice may be undermined. That, however, did not happen here. Lawful covert surveillance produced damaging evidence against all three defendants. The process worked lawfully: any flaws were minor and short, and inconsequential”.

As to admissibility, he said this (paragraph 30):

“The only unfairness was that the appellant chose to say the things that he did because he did not realise that they were being recorded. The object of covert surveillance of the kind deployed in this case was to discover the truth, and, the evidence of what the appellant said about the death of the deceased was put before the jury while anything containing even a whisper of conversations protected by legal privilege was excluded. That was not unfair.”

Those arguing that RIPA is a fit-for-purpose surveillance tool will no doubt find support in this judgment.

Robin Hopkins

Tags: , , ,
Posted in INFORMATION LAW | Comments Off on Surveillance: RIPA and the Communications Data Bill

T v Manchester goes to the Supreme Court

May 28th, 2013 by Robin Hopkins

One of the most important privacy judgments of the year thus far has been that of the Court of Appeal in R (T & others) v Chief Constable of Greater Manchester & others [2013] EWCA Civ 25, on which Chris Knight blogged in January. In a nutshell, the Court of Appeal held that the criminal records disclosure regime (including the exceptions to the Rehabilitation of Offenders Act 1974) violated Article 8 ECHR.

Permission has been granted for a further appeal to the Supreme Court, which will hear the case on 24 and 25 July of this year. Watch this space.

Robin Hopkins

Tags: , , ,
Posted in INFORMATION LAW | Comments Off on T v Manchester goes to the Supreme Court

Closed material and closed proceedings in FOIA litigation: authoritative guidance from the Upper Tribunal

May 22nd, 2013 by Robin Hopkins

Closed material and closed proceedings are commonplace in FOIA litigation. As regards the disputed information itself, the need is self-explanatory. But what about closed material other than the disputed information, such as evidence in support of a public authority’s reliance on exemptions? To what extent is it appropriate for FOIA proceedings to be determined by reference to such material which the requester is unable to see and challenge? Also, if the public authority’s concern is with public disclosure of such material, is the solution to be found in a readiness to bring the requester’s legal representatives into a ‘confidentiality ring’? In other words, do natural and open justice demand that requesters’ legal representatives be allowed to attend the closed part of the hearing and see the closed material?

These questions are fundamental to the fair and thorough determination of disputes about the rights conferred by FOIA. In a very important recent decision, the Upper Tribunal has given its answers.

The case

Browning v IC and Department for Business, Innovation & Skills (GIA 25/12) was heard by Mr Justice Charles, Mr Justice Mitting and Upper Tribunal (UT) Judge Andrew Bartlett QC. The decision is available here: Browning GIA 25 12.

The case concerned a request from a Bloomberg journalist for information from the Export Control Organisation (for which DBIS is the relevant public authority) in connection with licences issued for the exporting to Iran of “controlled goods” – explained as “mainly military, dual use (potentially military), equipment designed for torture or repression or sources of radio-activity”. DBIS relied on sections 41 and 43 FOIA. The IC found for the requester but, upon sight of further evidence, supported DBIS’ appeal before the First-Tier Tribunal (FTT). In decision EA/2011/0044, the FTT allowed DBIS’ appeal. In reaching its decision the FTT considered closed material and part of the hearing was closed.

The closed material comprised not only the disputed information, but DBIS’ evidence supporting its reliance on the exemptions. In particular, DBIS had written to applicants for such licences to obtain their views about disclosure, and it relied on their (confidential) responses in closed. Four or five of the 92 responses had been provided to Mr Browning in an anonymised, re-typed and redacted form prior to the hearing before the FTT, so as to illuminate to a degree the nature of the closed evidence being relied upon.

Mr Browning had not asked for more of the closed evidence to be made available to him in that way. Rather, a without-notice application was made at the FTT hearing for his legal representative(s) to see the closed material and attend the closed hearing in order to put the case on his behalf. The FTT refused the application. It summarised the approach taken in other FTT decisions, whereby such applications “will succeed only if there are exceptional circumstances specific to the appeal… The use of special counsel, as an alternative, is likewise exceptional.”

Mr Browning’s first ground of appeal before the UT was against the FTT’s refusal of that application.

Reliance on closed material

Mr Browning understandably contended that “the principles of open and natural justice and of fairness require, or strongly support the conclusion, that their application in the context of adversarial civil litigation should be departed from to the least extent possible… in the determination of an appeal to the FTT under FOIA” (para 48).

The UT said, however, that those principles admit of some context-sensitive flexibility. FOIA appeals are materially dissimilar from criminal and adversarial civil litigation. At paras 59-60, it said that:

“FOIA and its underlying purposes mean that, when a disputed request for information reaches the First-tier Tribunal pursuant to the statutory scheme put in place by FOIA, the relevant background and landscape of rights, interests and duties is materially different from that which obtains in criminal and civil litigation in the courts… It follows from the points we have made about the purposes of FOIA that, in our view, to characterise the First–tier Tribunal’s function, within the statutory scheme established by FOIA, as or equating to ordinary civil and therefore adversarial litigation because it is deciding a dispute between the parties before it, or deciding whether to vindicate a right claimed by the applicant, is an inadequate and inaccurate description; rather, its function is investigatory and is to see that FOIA is properly applied to the circumstances. This involves consideration, in the manner provided by FOIA, of the right which is given by s. 1(1) in pursuance of the interests served by the release of information, together with the assessment of countervailing public and private interests in accordance with the terms of the exemptions.”

Closed proceedings are thus intrinsic to FOIA litigation. The UT has confirmed the right to rely on closed evidence other than the disputed information (though see below for procedural caveats). See paras 59-60:

“(i) it is clear that Parliament did not intend that there should be such a “back door” route to information in respect of which a FOIA exemption could be claimed.  It follows that there is a need to protect it from disclosure to a requester that is equivalent to that which exists in respect of the information he or she has requested, and

(ii) it is also apparent that Parliament did not intend to spawn disproportionate and satellite disputes on whether an exemption applies to information put forward to establish a claimed exemption, and this is a reason why it chose an investigatory appeal process to a tribunal comprising persons with relevant expertise.”

The UT concluded that (para 71):

“The exercise by the First-tier Tribunal of its discretion under the 2009 Rules to consider closed material and to hold a closed hearing is not governed directly, or by analogy, by the approach taken by the civil courts to the disclosure of relevant material and we therefore reject Mr Browning’s central argument that it should be exercised to achieve a result that departs to the least extent possible from the approach taken in adversarial civil litigation.”

Applications for representatives to see closed material/attend closed hearings

The UT reviewed the jurisprudence on this issue (which has not favoured the granting of such applications) and discussed the problems that would arise if such an application were granted. There is a risk of accidental disclosure. It can be difficult for the representative to police neat lines between what he can and cannot say to his client or in open session. More generally, there would be very problematic limitations on taking instructions, such that (para 76) “the value added of the approach over that of suggesting lines of enquiry to the First-tier Tribunal and the Information Commissioner is likely to be limited to what the representative knows of his client’s position before he takes part in the closed process.” In any event, what to do about unrepresented requesters?

At paras 80-81, the UT set outs its conclusions:

“… a First-tier Tribunal should not direct that a representative of an excluded party should see closed material or attend a closed hearing unless it has concluded that, if it does not does so: it cannot carry out its investigatory function of considering and testing the closed material and give appropriate reasons for its decision on a sufficiently informed basis and so fairly and effectively in the given case having regard to the competing rights and interests involved.

81.          We also acknowledge and confirm that this approach will lead to the result that it will only be in exceptional and so rare cases that a representative of a party seeking information under FOIA will be permitted to see closed material and attend at a closed part of the hearing.  Indeed, we have not been able to identify circumstances in which we think that this would be appropriate, but acknowledge that it cannot be said that this should never be done.”

It also considered that Article 6 ECHR was not engaged, and that its engagement would not dislodge the above conclusions in any event.

Mr Browning’s first ground of appeal therefore failed. The UT did, however, have more to say on how to approach reliance on closed material. All parties involved in FOIA litigation should pay careful attention to these points.

The Practice Note and other observations on the use of closed material

The UT had misgivings about the limited extent of the anonymised closed material which had been made available to Mr Browning on an open basis. It noted, however, that this limited disclosure had for a vigorous and partially successful challenging of the evidence by the requester’s counsel. “During the period leading up to the hearing and when it began Mr Browning and his legal representatives had ample opportunity to seek by way of agreement or further direction additional information about the extent, content and nature of the Closed Exemption Evidence and they did not do so”.

Strictly speaking, the UT has declined to issue general guidance on the approach to allowing reliance on closed material at FTT level, but it has made a number of important points.

It observed (para 42) that “the need to avoid disclosure of the requested information is an obvious and good reason for there being closed material and a closed hearing, but in some cases this may not be the only reason that justifies a First-tier Tribunal considering closed material and holding a closed hearing”.

The FTT’s Practice Note on Closed Material in Information Rights Cases (issued in May 2012) was also considered. The UT said this (para 17):

“This does not have the force of a rule of law or a practice direction, and this judgment should not be taken as comprehensively endorsing it, but we do consider that it is something that First-tier Tribunals should take into account and, if they do not apply it in a given case, they should explain why they have not done so.  In particular, in our judgment, if no written and reasoned application for there to be closed material and a closed hearing has been made pursuant to that Practice Note, First–tier Tribunals should explain why they have proceeded without one.”

It added this on the FTT’s approach to closed material in general (para 18):

“More generally, we comment that First-tier Tribunals should consider and give appropriately detailed directions and reasons (i) setting out the nature and subject matter of any closed material and hearing, (ii) why they have accepted that they should consider evidence advanced by a public authority (or anyone else) and argument on a closed basis, and (iii) why further information relating to their content has not been provided.  If this is done it will provide clarity as to what will be, and has been, considered on a closed basis and why, for example, evidence provided to support an exemption has been so considered and more of it, or about it, has not been disclosed.”

Finally, the UT was clear as to the ongoing nature of these duties (para 39): “throughout the proceedings a tribunal carrying out its investigatory function must keep under review whether information about closed material should be provided to an excluded party in, for example, an anonymised form”.

Clearly, all FTT proceedings involving closed should be conducted in light of the points made above.

Other grounds of appeal: sections 41 and 43 of FOIA

Mr Browning’s other grounds of appeal also failed before the UT. Some of those grounds concerned the FTT’s findings on section 41 of FOIA (actionable breach of confidence). Mr Browning that the disputed information had not been “obtained” from outside the public authority, that the name of a licence applicant does not have the necessary quality of confidence, and that applicants had not imparted licence information in circumstances importing an obligation of confidence. All of those grounds of appeal were dismissed.

More broadly, on the approach to section 41 of FOIA, the UT has said this (para 30):

“It was also common ground before the FTT, and not an issue that was raised or argued before us, that the consideration of whether disclosure would constitute a breach of confidence that is “actionable” incorporates all parts of the breach of confidence action, including the absence of a public interest defence.  This accords with existing First-tier Tribunal decisions (see for example, Gurry on Breach of Confidence 2nd edit para 13.130 and in particular HCFC v IC & Guardian News and Media EA 2009/0036).  On that approach, the point that s. 41 is an absolute exemption is not as significant as it might first appear because within it there is a need to weigh the competing public interests, and as pointed out in a footnote to that paragraph in Gurry, the reverse approach to weighing the public interest in respect of a breach of confidence to that set out in s. 2 of FOIA in respect of a qualified exemption, if anything, makes it easier to establish the s. 41 exemption but is unlikely to become a determinative factor.”

Mr Browning also challenged the FTT’s conclusions on the detriment likely to arise from disclosure and argued that it had not identified the prejudice to commercial interests or the likelihood of that prejudice (for section 43(2) FOIA purposes).

The UT did have misgivings about the FTT’s comments about ‘chilling effect’ arguments on the evidence, but found that it there had been an error of law, it was at most a makeweight finding which did not suffice to overturn the FTT’s decision.

Ben Hooper acted for the Information Commissioner.

Robin Hopkins

Tags: , , , , , , ,
Posted in INFORMATION LAW | Comments Off on Closed material and closed proceedings in FOIA litigation: authoritative guidance from the Upper Tribunal

Damages under section 13 DPA: Court of Appeal’s judgment in Halliday

May 17th, 2013 by Robin Hopkins

I blogged a while ago about the ex tempore judgment from the Court of Appeal in a potentially groundbreaking case on damages under section 13 of the DPA, namely Halliday v Creation Consumer Finance [2013] EWCA Civ 333. The point of potential importance was that ‘nominal damages’ appeared to suffice for the purposes of section 13(1), thereby opening up section 13(2). In short, the point is that claimants under the DPA cannot be compensated for distress unless they have also suffered financial harm. A ‘nominal damages’ approach to the concept of financial harm threatened to make the DPA’s compensation regime dramatically more claimant-friendly.

The Court of Appeal’s full judgment is now available. As pointed out on Jon Baines’ blog, ground has not been broken: the ‘nominal damages’ point was a concession by the defendant rather than a determination by the Court. See paragraph 3 of the judgment of Lady Justice Arden:

“… this issue, which was the main issue of the proposed appeal to this court, is now academic as the respondent, CCF, concedes an award of nominal damages is “damage” for the purposes of the Directive and for the purposes of section 13(2) of the Data Protection Act 1998.”

Other potentially important points have also fallen somewhat flat. The question of whether UK law provided an adequate remedy for a breach of a right conferred by a European Directive fell away on the facts (“proof fell short in relation to the question of damage to reputation and credit”), while the provision for sanctions under Article 24 of Directive 95/46/EC was neither directly enforceable to Mr Halliday nor of assistance to him.

Still, the judgment is not without its notable points.

One is the recognition that compensation for harm suffered is a distinct matter from penalties for wrongdoing; the former is a matter for the courts in the DPA context, the latter a matter for the Information Commissioner and his monetary penalty powers. Such was the implication of paragraph 11:

“… it is not the function of the civil court, unless specifically provided for, to impose sanctions. That is done in other parts of the judicial system.”

Another point worth noting is Lady Justice Arden’s analysis of distress and the causation thereof. The distress must be caused by the breach, not by other factors such as (in this case) a failure to comply with a court order. See paragraph 20:

“Focusing on subsection (2), it is clear that the claimant has to be an individual, that he has to have suffered distress, and that the distress has to have been caused by contravention by a data controller of any of the requirements of the Act. In other words, this is a remedy which is not for distress at large but only for contravention of the data processing requirements. It also has to be distress suffered by the complainant and therefore would not include distress suffered by family members unless it was also suffered by him. When I say that it has to be caused by breach of the requirements of the Act, the distress which I accept Mr Halliday would have felt at the non-compliance of the order is not, at least directly, relevant because that is not distress by reason of the contravention by a data controller of the requirements of this Act. If the sole cause of the distress had been non-compliance with a court order, then that would have lain outside the Act unless it could be shown that it was in substance about the non-compliance with the Data Protection Act.”

The claimant had sought to draw an analogy with guidelines and banding for discrimination awards as set by Vento v Chief Constable of West Yorkshire Police [2013] 1 ICR 31. The Court of Appeal was not attracted. See paragraph 26:

“In answer to that point, the field of discrimination is, it seems to me, not a helpful guide for the purposes of data protection. Discrimination is generally accompanied by loss of equality of opportunity with far-reaching effects and is liable to cause distinct and well-known distress to the complainant.”

Finally, Lady Justice Arden commented as follows concerning the level of the compensation to be awarded on the facts of this case: “in my judgment the sum to be awarded should be of a relatively modest nature since it is not the intention of the legislation to produce some kind of substantial award. It is intended to be compensation, and thus I would consider it sufficient to render an award in the sum of £750” (paragraph 36).

Lord Justice Lloyd (who, along with Mr Justice Ryder agreed with Lady Justice Arden) did pause to think about a submission on this question ‘if you were so distressed, why did you not complain immediately?’, but concluded that (paragraph 47):

“I confess that I was somewhat impressed at one point by Mr Capon’s submission that it was a surprise, if Mr Halliday was so distressed by this contravention, that he did not immediately protest upon discovering, in response to his first credit reference enquiry, the fact of the contravention, and indeed he did not protest until about a month after the second report had been obtained. But I bear in mind, in response to that, Mr Halliday’s comment that he had had such difficulty in getting any sensible response, or indeed any response, out of CCF at the earlier stage, that it is perhaps less surprising that he did not immediately protest. In any event, the period in question is not a very lengthy one between his discovery of the contravention by his first reference request and his taking action in July. Accordingly, it does not seem to me that that is a matter that should be taken to reduce my assessment of the degree of distress that he suffered.”

Robin Hopkins

Tags: , , ,
Posted in INFORMATION LAW | Comments Off on Damages under section 13 DPA: Court of Appeal’s judgment in Halliday

Information rights: proposed legislative changes and more

May 17th, 2013 by Robin Hopkins

Earlier this week, James Goudie QC blogged on the Intellectual Property Bill’s amendment to FOIA, introducing a new qualified exemption (section 22A) for continuing programmes of research intended for future publication. On the issue of research – which featured prominently in submissions from the university sector during FOIA’s post-legislative scrutiny health-check – this would bring FOIA into line with its Scottish counterpart. For an informative discussion of this topic, see this post from Kit Good.

Interestingly, that post refers to an ICO decision notice (FS50163282 of 29 March 2010) about “tree ring” data, a method used to analyse wood from archaeological sites to determine past climates. The ICO found that Queen’s University Belfast was not entitled to rely on (among other exceptions) regulations 12(4)(d) of the EIRs (material which is still in the course of completion, unfinished documents or incomplete data). As it happens, the Tribunal has today issued a decision concerned with tree ring data in a university research context: McIntyre v IC and UEA, EA/2012/0156. The Tribunal noted the ICO’s note of caution concerning ever-evolving research data: “this argument should not be used to withhold tree-ring chronologies endlessly, by arguing that they are always a ‘work in progress’”. However, on the facts of the case the Tribunal upheld UEA’s reliance on regulation 12(4)(d), as supported by the ICO.

This has not been FOIA’s only outing in Parliament this week. An early day motion was tabled on Tuesday of this week expressing concern at the Government’s proposal to make cost restrictions more public authority-friendly. The motion is worded as follows:

“That this House notes that the Government is proposing to make it easier for public authorities to refuse Freedom of Information requests on cost grounds in order to prevent disproportionate use of the Freedom of Information Act 2000 by some requesters; expresses concern that requests by those making moderate use of the legislation will also be more easily refused under the proposals; is particularly concerned at the proposal that the time which authorities spend considering whether to release information should be taken into account when calculating whether the cost limit has been reached; further notes that this proposal was expressly rejected by the Justice Committee in its post-legislative review of the Act; believes that this proposal will penalise requests raising new or complex issues which will inevitably require substantial time to consider; observes that the Government’s objective will in any case be achieved following recent decisions of an Upper Tribunal that requests which involve a disproportionate, manifestly unjustified, inappropriate or improper use of the Act can be refused as vexatious; and calls on the Government not to proceed with its proposals.”

The motion’s primary sponsor is Richard Shepherd. At present, there are 12 signatories. Maurice Frankel of the Campaign for FOI is urging more MPs to take up the cause.

Turning from FOIA to information rights concerns of a data protection variety, the Care Bill was introduced in the House of Lords last week. Notably, it contains an express provision making the provision of “false or misleading information” an offence (subject of course to the statutory definitions being met). Clause 81 provides as follows:

(1) A care provider of a specified description commits an offence if—

(a) it supplies, publishes or otherwise makes available information of a specified description,

(b) the supply, publication or making available by other means of information of that description is required under an enactment or other legal obligation, and

(c) the information is false or misleading in a material respect.

The aims of this clause are not confined to matters affecting personal privacy – indeed, the explanatory document suggests it is confined to ‘management information’. There may, however, be some crossover with information on individual cases, particularly in ‘low cell count’ cases where individuals could be identified from higher-level data. The Data Protection 1998 does not use the language of “misleading” – focusing instead on inaccuracy and fairness. There are often DPA-related grievances, however, in which “misleading” is an excellent summary of the data subject’s concern.

Robin Hopkins

Tags: , ,
Posted in INFORMATION LAW | Comments Off on Information rights: proposed legislative changes and more

Thirteen deadly sins: new ICO guidance on vexatious requests

May 17th, 2013 by Robin Hopkins

On Wednesday, the ICO launched its new guidance on section 14 (vexatious requests) on Wednesday. This follows the Upper Tribunal’s recent decisions on this exemption (Panopticon passim), as well as decisions such as Salford City Council v IC and TieKey Accounts (EA/2012/0047) concerning reliance on section 14 to avoid incurring unreasonable cost burdens.

The ICO’s long-standing 5 indicators are supplanted by a new list of 13 indicators – though the emphasis remains on their not being intended as pseudo-statutory tests (and thus they are not really ‘deadly sins’). The thirteen indicators are (in no particular order):

abusive or aggressive language; burden on the authority; personal grudges; unreasonable persistence; unfounded accusations; intransigence; frequent or overlapping requests; deliberate intention to cause annoyance; scattergun approach; disproportionate effort; no obvious intent to obtain information; futile requests; frivolous requests.

The guidance addresses such topics as round robins, fishing expeditions and requesters acting in concert/as part of a campaign, all of which arise frequently for consideration by public authorities. There is also a section on “recommended actions before making a final decision” (paragraphs 93-97) which public authorities would be wise to consider with an eye on complaints to the ICO from dissatisfied recipients of section 14 notices.

For discussions of the new guidance, see these blog posts from the ICO’s Deputy Commissioner, Graham Smith, and also from FOI Man.

Robin Hopkins

Tags: , ,
Posted in INFORMATION LAW | Comments Off on Thirteen deadly sins: new ICO guidance on vexatious requests

Google: autocomplete and the frontiers of privacy

May 17th, 2013 by Robin Hopkins

Unsurprisingly, the frontiers of privacy and data protection law are often explored and extended by reference to what Google does. Panopticon has, for example, covered disputes over Google Street View (on which a US lawsuit was settled in recent months), Google’s status as a ‘publisher’ of blogs containing allegedly defamatory material (see Tamiz v Google [2013] EWCA Civ 68) and its responsibility for search results directing users to allegedly inaccurate or out-of-date personal data (see Google Spain v Agencia Espanola de Proteccion de Datos (application C-131/12), in which judgment is due in the coming months).

A recent decision of a German appellate court appears to have extended the frontiers further. The case (BGH, VI ZR 269/12 of 14th May 2013) concerned Google’s ‘autocomplete’ function. When the complainants’ names were typed into Google’s search bar, the autocomplete function added the ensuing words “Scientology” and “fraud”. This was not because there was lots of content linking that individual with those terms. Rather, it was because these were the terms other Google users had most frequently searched for in conjunction with that person’s name. This was due to rumours the truth or accuracy of which the complainants denied. They complained that the continuing association of their names with these terms infringed their rights to personality and reputation as protected by German law (Articles 823(1) and 1004 of the German Civil Code).

In the Google Spain case, Google has said that the responsibility lies with the generators of the content, not with the search engine which offers users that content. In the recent German case, Google has argued in a similar vein that the autocomplete suggestions are down to what other users have searched for, not what Google says or does.

In allowing the complainants’ appeals, the Federal Court of Justice in Karlsruhe has disagreed with Google. The result is that once Google has been alerted to the fact that an autocomplete suggestion links someone to libellous words, it must remove that suggestion. The case is well covered by Jeremy Phillips at IPKat and by Karin Matussek of Bloomberg in Berlin.

The case is important in terms of the frontiers of legal protection for personal integrity and how we allocate responsibility for harm. Google says that, in these contexts, it is a facilitator not a generator. It says it should not liable for what people write (see Tamiz and Google Spain), not for what they search for (the recent German case). Not for the first time, courts in Europe have allocated responsibility differently.

Notably, this case was not brought under data protection law. In principle, it seems that such complaints could be expressed in data protection terms. Perhaps, if the EU’s final Data Protection Regulation retains the severe penalty provisions proposed in the draft version, data protection will move centre-stage in these sorts of cases.

Robin Hopkins

Tags: , ,
Posted in INFORMATION LAW | Comments Off on Google: autocomplete and the frontiers of privacy

MPs’ expenses: copies of receipts are subject to FOIA

April 29th, 2013 by Panopticon Blog

Following the MPs’ expenses scandal, the then newly-founded Independent Parliamentary Standards Authority (IPSA) decided that it would not routinely publish images of the receipts submitted to IPSA by MPs in support of their expenses claims.  Rather, only text transcribed from the submitted receipts was to be published.

The question that arose in IPSA v Information Commissioner (EA/2012/0242) was whether images of those receipts held by IPSA contained “information” within the meaning of section 1 of FOIA, which was not captured by the transcription process favoured by IPSA. In a decision handed down today, the First-Tier Tribunal held that those images do contain such information, and so dismissed IPSA’s appeal. The receipts in question related to claims made by John Bercow MP, Alan Keen MP and George Osborne MP in 2010, which were requested by Mr Brian Leapman of the Daily Telegraph (whose FOIA requests, together with those of others, had played a vital role in the exposure of the old system of MPs’ expenses). The decision is an unusual and interesting instance of the question of “what is information?” arising for consideration in the FOIA context.

Information is defined by section 84 of FOIA (“‘information’ (subject to sections 51(8) and 75(2)) means information recorded in any form”).  The tribunal concluded that, in this case, this definition included logos, letterheads, “handwriting/manuscript comments”, and “the layout and style/design of the requested documents” – each of which were not disclosed to Mr Leapman as a result of providing a transcription, rather than a copy, of the relevant receipts.  The tribunal rejected IPSA’s submission that those materials were “merely presentational”, and went on to consider further examples of information falling within section 1 of FOIA that could be of forensic value to a person investigating expenses claims by MPs:

“…a signature on an invoice may indicate fraud if it was identical to the claimant’s signature or that of a member of his team; a shoddily presented invoice may call into question the legitimacy of the company said to have issued it, or a letterhead or logo may have changed or be different to the one usually associated with a particular company – again bringing the legitimacy of the invoice into question.

The tribunal noted that IPSA insists on seeing actual receipts for its own purposes, and that the Chief Executive of IPSA had accepted in evidence that “sight of the receipt might be more informative”.

In arriving to the conclusions above, the tribunal rejected an attempt by IPSA to rely on section 11 of FOIA to justify the method by which it chose to disclose information to Mr Leapman. Section 11(4), permits a public authority to use a means of communicating requested information that is “reasonable in the circumstances”; and section 11(1) requires a public authority to give effect to a preference for a particular form of communication to the extent that it is “reasonably practicable”.  IPSA argued that for practical reasons it was not reasonable or reasonably practicable for it to fulfill Mr Leapman’s alleged preference for disclosure by a particular means of communication (see paragraph 14).

The tribunal found, however, that section 11 cannot operate to enable a public authority to limit the information which it is obliged to disclose.  Rather, the principle question for the tribunal was whether the disclosure by IPSA to Mr Leapman in fact conveyed all of the non-exempt information contained within the receipts.  As the answer to that question was “no”, it was not necessary for the tribunal to go on to consider the applicability of section 11.

Robin Hopkins appeared for the Information Commissioner; Philip Coppel QC appeared for IPSA.

Tom Ogg

Tags: , , ,
Posted in INFORMATION LAW | Comments Off on MPs’ expenses: copies of receipts are subject to FOIA

Data protection: trends, possibilities and FOI disclosures

April 29th, 2013 by Robin Hopkins

At 11KBW’s information law seminar in May, one of the discussion topics was ‘the future of data protection’. Here are some further thoughts on some interesting trends and developments.

Progress at the EU level

A major issue on this front is of course progress on the draft EU Data Protection Regulation – on which see this blog post from the ICO’s David Smith for an overview of the issues currently attracting the most debate. While that negotiation process runs its course, the Article 29 Working Party continues to provide influential guidance for users and regulators on some of the thorniest data protection issues. Its most recent opinion addresses purpose limitation, i.e. the circumstances under which data obtained for one purpose can be put to another. A summary of its views is available here.

Subject access requests

Turning to domestic DPA litigation in the UK, practitioners should watch out for a number of other developments (actual or potential) over the coming months. On the subject access request front, for example, data controllers have tended to take comfort from two themes in recent judgments (such as Elliott and Abadir, both reported on Panopticon). In short, the courts in those cases have agreed that (i) data controllers need only carry out reasonable and proportionate searches, and (ii) that section 7(9) claims being pursued for the collateral purpose of aiding other substantive litigation will be an abuse of process.

Data controllers should, however, note that neither of those points is free from doubt: there are plenty who doubt the legal soundness of the proportionality point, and the abuse of process point has arisen for section 7(9) claims to the court – it should not, in other words, be relied upon too readily to refuse requests themselves.

Damages

Damages under section 13 of the DPA is another area of potentially important change. The Halliday v Creation Consumer Finance case (briefly reported by Panopticon) has been given further discussion in the Criminal Law & Justice Weekly here. Based on that information, perhaps the most interesting point is this: defendants have rightly taken comfort from the requirement under section 13 that compensation for distress can be awarded only where damage has also been suffered. In Halliday, however, nominal damages (of £1) were awarded, thereby apparently fulfilling the ‘damage’ requirement and opening the door for a ‘distress’ award (though note that Panopticon has not yet seen a full judgment from the Court of Appeal in this case, so do not take this as a definitive account). If that approach becomes standard practice, claimants may be in much stronger positions for seeking damages.

A further potential development on the damages front arises out of monetary penalty notices: data controllers who are subject to hefty penalties by the ICO may in some cases also find themselves facing section 13 claims from the affected data subjects themselves, presenting a worrying prospect of paying out twice for the same mistake.

Disclosure of personal data in the FOIA context

In general terms, requesters struggle to obtain the personal data of others through FOIA requests. A couple of very recent decisions have, however, gone the other way.

In White v IC and Carmarthenshire County Council (EA/2012/0238), the First-Tier Tribunal allowed the requester’s appeal and ordered disclosure of a list of licensed dog-breeders in the council’s area. In particular, it concluded that (paragraphs 21-23):

“…the Tribunal believes – on the facts of this case – that an important factor for any assessment in relation to the “fairness” of the disclosure of the personal data is best discovered from the context in which the personal data was provided to the Council in the first place.

22. The context, here, is to secure a commercial licence required by law to breed dogs. That license is necessary for the local authority to know who the licensed dog breeders in that area are, and so that the law can be enforced and welfare checks can be conducted as and when necessary in relation to the welfare of the dogs being bred commercially.

23. Licensing – in the ordinary course of things – is a public regulatory process. Indeed it was a public process in Carmarthenshire, in relation to the information that is at the core of this appeal, until the Council changed its policy in 2008.”

The Tribunal was unimpressed by the suggestive language of a survey of dog breeders which the council had carried out to support its case for non-disclosure. It also noted that a neighbouring council had disclosed such information.

The First-Tier Tribunal issued its decision in Dicker v IC (EA/2012/0250) today. It allowed the requester’s appeal and ordered disclosure of the salary of the chief executive of the NHS Surrey PCT over specified time periods, including total remuneration, expenses allowance, pension contributions and benefit details. As to legitimate interests in disclosure, the Tribunal said that (paragraph 13):

“In this case the arrangements (including secondment and recharge from another public authority at one stage) mean that the arrangements are not as transparent as might be wished and it is not entirely clear from the information published (as opposed to the assurances given) that the national pay guidance has been complied with. Mr Dicker asserted that the CEO was paid in excess of the national framework. The Tribunal was satisfied that there was a legitimate public interest in demonstrating that the national framework had been complied with and that the published information did not properly establish this”.

On the questions of distress and privacy infringements, the Tribunal took this view (paragraph 14):

“The CEO is a prominent public servant discharging heavy responsibilities who must expect to be scrutinised. Individuals in such circumstances are rational, efficient, hard-working and robust. They are fully entitled to a high degree of respect for their private lives. However the protection of personal information about their families and their health is a very different matter from having in the public domain information about income… The Tribunal simply cannot accept that anyone in such a role would feel the slightest distress, or consider that there has been any intrusion or that they would be prejudiced in any way by such information. From the perspective of the individual such information is essentially trivial; indeed, in other European societies, such information would be routinely available.”

If this approach were to become standard, the implications for public authorities would be significant.

Further, there are two very important personal data FOIA cases to look out for in the coming months. Following its decision in the Edem case late in 2012, the Upper Tribunal’s next consideration of personal data in the FOIA context is the appeal in the Morley v IC & Surrey Heath Borough Council (EA/2011/0173) case, in which the Tribunal – in a majority decision in which Facebook disclosures played a significant part – ordered the disclosure of names of certain youth councillors.

More importantly, the Supreme Court will hear an appeal from the Scottish Court of Session in July about a FOISA request for the number of individuals employed by the Council on specific points in the pay structure. The council relied on the personal data exemption (contending that individuals could be identified from the requested information), but the Scottish Information Commissioner ordered disclosure and succeeded before Scotland’s highest court. The Supreme Court will consider issues including the approach to ‘legitimate interests’ under condition 6(1) of schedule 2 to the DPA (the condition most often relied upon in support of disclosing personal data to the public). The case is likely to have far-reaching implications. For more detail, see Alistair Sloan’s blog.

Panopticon will, as ever, keep its eye on these and other related developments.

Robin Hopkins

Tags: , , , , , ,
Posted in INFORMATION LAW | Comments Off on Data protection: trends, possibilities and FOI disclosures

« Older Entries
Newer Entries »