Recent conference papers

April 30th, 2009 by Timothy Pitt-Payne QC

On 11 KBW’s main website, you can now find some conference papers delivered this month by members of chambers.

There’s a paper that I gave at a Northumbria University conference.  The theme of the conference was information sharing; my paper is about the new law on breach of confidence (post-Campbell v MGN).

Yesterday, the LGG/11KBW legal update conference took place, with about 115 delegates.  Karen Steyn gave a paper on recent case-law affecting local authorities; the first section is about information law.  I gave a paper about employment vetting.  In discussion, delegates were clearly very interested in getting to grips with the new ISA barring regime.  Questions were raised about its implications for elected members of local authorities, and for volunteers (e.g. parents helping out in schools).  

Another subject  raised in discussion was the recent decision of the Administrative Court in R(G) v Governors of X School and Y City Council.  A music assistant employed at a primary school was dismissed; the allegation was that he had formed an inappropriate relationship with a 15 year old boy who was on work experience at the school.  The school’s disciplinary committee told the employee that they would be reporting the case to the Secretary of State for potential inclusion in “list 99” (i.e. the statutory list of those banned from working in schools).  The Court quashed the decision because the school had refused to allow legal representation at the dismissal hearing or at a forthcoming appeal.  The disciplinary proceedings, and the referral to the Secretary of State for a potential banning direction, formed part of one and the same proceedings.  Those proceedings were not criminal in nature for the purpose of article 6 of the Convention.  However, their potential consequences were grave; and procedural fairness required the claimant to be allowed legal representation, before both the school’s disciplinary committee and its appeal committee.

Tags: , ,
Posted in INFORMATION LAW | Comments Off on Recent conference papers

California court says don’t cry before you’re hurt

April 27th, 2009 by Timothy Pitt-Payne QC

In November 2007 it was announced that HMRC had lost two CDs containing personal information about 25 million people.  Since then there has been a steady stream of stories about data losses, mainly from the public sector.

The Data Protection Act 1998 requires appropriate measures to be taken against the accidental loss of personal data.  Breach of this requirement can lead to enforcement action by the Information Commissioner. An individual whose data was lost could claim compensation from the data controller under section 13 of the Act, but only on proof of damage.  If the individual had suffered identity fraud as a result of the breach then this would probably be sufficient.  What if the individual argued that he was now at a higher risk of ID fraud, even though no fraud had yet taken place?  Would this count as damage?

A US district court in California has recently considered a similar question.  In Ruiz v Gap and Vangent a laptop was stolen containing unencrypted personal data of 750,000 Gap job applicants.  In a class action, the plaintiff sued for negligence, contending that he and the other class members had suffered damage consisting of exposure to an increased risk of ID fraud.  The Court granted summary judgment to the defendants and dismissed the claim.  Speculative harm, or the threat of future harm, was not enough for a cause of action in negligence.  The plaintiff relied on cases where recovery had been allowed for medical monitoring after negligent exposure to toxic substances; the court rejected the analogy.  It also noted that Gap had informed those whose information was on the laptop, and had offered to provide them with 12 months of free credit monitoring.  The plaintiff had not taken up this offer.

In policy terms it is questionable whether strengthening individual rights of action is the best way to deal with data loss.  Of course, individuals who suffer direct financial loss – through ID fraud or otherwise – should be compensated.  But in the Ruiz type of claim individual damages are likely to be modest.  There is no great social benefit in spending a lot of time and money in order to provide a wide class of individuals with low-level compensation.  Instead the focus should be on deterring breaches and avoiding recurrence.  The Information Commissioner’s new power to fine for serious data protection breaches (DPA section 55A) is a step in the right direction, though not yet in force.

If the UK regulatory framework needs further strengthening then one option would be legislation requiring data controllers to notify affected individuals where information is lost or stolen.  Last year the Thomas/Wolpert data sharing review recommended notification to the Information Commissioner as good practice, but not as a mandatory requirement.  The Government agreed.  Its response (see page 19) made clear that it had considered, and rejected, the possibility of a US-style law requiring notification of data breaches to the individuals affected.

Incidentally, I found the Ruiz case via the excellent blog maintained by InfoSecCompliance LLC, a US firm specialising in privacy, information law and data security. David Navetta is their founding member.

Tags: , , ,
Posted in INFORMATION LAW | Comments Off on California court says don’t cry before you’re hurt

Employment vetting in the news

April 24th, 2009 by Timothy Pitt-Payne QC

There’s an employment law supplement in the latest Legal Week, and I have an article about employment vetting. 

At the end of the article there’s a short discussion of something I’ve written about previously on this blog; the amount of personal information that’s now put on the internet, and its implications for recruitment. Looking at the way the article is presented, it’s clear that the editorial team thought that this was the interesting bit of the article.

I’ll be speaking about employment vetting again next week, at the Local Government Group conference on 29th April.   This event is a wide-ranging legal update for local authority lawyers – it’s a joint event between LGG and 11KBW.  If you’re coming to the conference, do come and introduce yourself and let me know what you think of the blog.

Tags: , ,
Posted in INFORMATION LAW | Comments Off on Employment vetting in the news

Include me out

April 17th, 2009 by Timothy Pitt-Payne QC

In the past few days there has been a lot of media coverage about online behavioural advertising – see for example this article published earlier this week in the Financial Times, under the euphonious title “A deeper peeper”. 

One important issue in this context (e.g. in assessing whether this form of advertising involves unfair processing of personal information under the Data Protection Act) is the extent to which individuals can opt out of having information collected about their web usage.  An opt out facility is offered by this site, which is maintained by a number of online advertising companies (including Google).  

If you want to see whether Google is collecting information about your advertising preferences, or if you want to change that information, then you can do so here.

There’s an important general point here.  Privacy will in future depend increasingly on two things.  One is the development of tools to enable individuals to protect their privacy.   The other is the willingness of individuals to find out about those tools and to use them.  The Information Commissioner issued a report on this subject – entitled “Privacy by design” – in November 2008.  

The other side of the coin, as far as behavioural advertising is concerned, is that some individuals will actually welcome the prospect of receiving advertisements that are targeted to their individual interests.  For instance, a number of Amazon users are happy to see book recommendations that reflect their previous use of the Amazon site.

Tags: , ,
Posted in INFORMATION LAW | Comments Off on Include me out

DPA/FOIA overlap

April 14th, 2009 by Timothy Pitt-Payne QC

The overlap between FOIA and the DPA gives rise to  a number of difficult problems.

In a paper just posted on 11KBW’s website (and originally delivered to a JUSTICE/Sweet & Maxwell conference in December 2008) I discuss some of these issues.  In particular, I deal with the practical problems that arise when an individual makes a request for information to a public authority and some (but not all) of the information constitutes his own personal data.  Because the request falls under both the DPA and FOIA, the Information Commissioner will need to deal with any complaint under two different legal regimes; if the requester subsequently appeals, the Information Tribunal will not have jurisdiction to deal with all the issues raised by the request.  The article suggests that the present position is unsatisfactory and discusses options for reform.

Tags: , , , ,
Posted in INFORMATION LAW | Comments Off on DPA/FOIA overlap

A problem shared is a breach of the DPA?

April 9th, 2009 by Timothy Pitt-Payne QC

It’s a good time for a conference about information sharing.  The data sharing provisions in the Coroners and Justice Bill have been withdrawn, in the face of widespread criticism – including from the Bar Council (for more background, see our previous posts here and here).   The question whether anything will be done to implement last year’s Thomas/Wolpert review remains an open one. 

Against this background, Northumbria University’s conference on 17th April is topical.  Speakers include Richard Thomas (coming to the end of his term as Information Commissioner), Marcus Turle from Field Fisher Waterhouse, and Steve Eccleston from Sheffield City Council.  I shall be delivering a paper about breach of confidence and its significance for information sharing (I will post it on the 11KBW website after the conference).

Tags: ,
Posted in INFORMATION LAW | Comments Off on A problem shared is a breach of the DPA?

Recent ICO decisions on Freedom of Information

April 8th, 2009 by Amy Rogers

In Decision Notice FS50139215, issued this week, the Commissioner has ordered the Met Police to disclose particular CCTV footage showing the movements of the perpetrators of the terrorist attacks on London on 7 July 2005.

The Met had argued that the footage was exempt from disclosure under sections 30(1)(a) (information held for the purposes of an investigation) and 38(1)(a) (health and safety) of FOIA.

The Commissioner accepted that the exemption in section 30(1)(a)(i) and (ii) of FOIA was engaged. However, he rejected arguments that such disclosure would render meaningful police investigation impossible and that, pending any trial, the CCTV footage should only be disclosed to the CPS, the Courts or other bodies involved in the investigative process.

The Commissioner’s comments on the public interest in full disclosure of any material relating to the 7/7 bombings are of particular interest. He noted, for example, that whilst there had already been widespread media coverage in relation to the bombings, “full disclosure in order to avoid any suspicion of ‘spin’ or ‘cover up’ will continue to be in the public interest regardless of the volume of related information that has previously been disclosed”. On similar lines, he observed that in circumstances in which the 7/7 attacks had been the subject of conspiracy theories, the fact that “disclosure would presumably support the official account of the time line and basic facts of the attacks and reduce any perceived lack of transparency about how this account was formed, along with removing any suspicion of ‘spin’ or ‘cover up’” was a valid public interest factor in favour of disclosure.

The Commissioner rejected the Met’s claim that the exemption under section 38(1)(a) of FOIA (health and safety) was engaged at all, emphasising that the arguments advanced by the Met on this point had lacked detail in relation to the specific CCTV footage in question. He also concluded that, whilst not cited by the Met, the personal data exemption in section 40(2) of FOIA was engaged in respect of footage from which individuals other than the perpetrators of the attacks could be identified. The Met must redact this information, such as by pixellation, before the footage is disclosed.

In other Decision Notices issued this week, the Commissioner has held that:

  • Oxford, Cambridge and Manchester Universities and Kings College and University College, London must disclose information relating to primate research. A complainant had sought such information from a number of universities, including information as to the numbers and species of primates referred to in returns to the Home Office, and as to current research. The Commissioner held that the exemptions relied upon by the universities were not engaged (variously, sections 38 (health and safety), 40 (personal data) and 43 (commercial interests) of FOIA).

 

  • The Department of Health must disclose civil servants’ submissions to Ministers in relation to proposed variations to consultants’ contracts as part of its ‘modernising medical careers’ initiative. Whilst the exemption in section 35(1)(a) (policy) of FOIA was engaged, the public interest in maintaining the exemption did not outweigh that in disclosure (FS50151464).

 

  • In contrast, the FCO was entitled to refuse to confirm or deny whether it held particular information as to identification of a voice heard in the video showing the beheading of Ken Bigley in Iraq in 2004. The FCO successfully relied upon sections 23(5) (information supplied by or relating to the security services) and 24(2) (national security) of FOIA (FS50188323).

Tags: , , , , , , ,
Posted in INFORMATION LAW | Comments Off on Recent ICO decisions on Freedom of Information

Reviewing the situation

April 6th, 2009 by Timothy Pitt-Payne QC

Under FOIA, there is no statutory duty on public authorities to operate an internal review procedure relating to their handling of FOI requests.  There is however an incentive for them to do so – if a review procedure  is available but has not been exhausted then the Commissioner can decline to entertain a complaint from the requester under FOIA section 50. 

Section 45 of the Act enables the Secretary of State to issue a Code of Practice giving guidance to public authorities about how they should operate their functions under the Act.  The Commissioner can make a practice recommendation (under section 48) where a public authority’s practice appears not to comply with the Code.

The Code issued under section 45 in November 2004 states that authorities should operate a review procedure, with decisions being made within a reasonable time.  In February 2007 the Commissioner issued guidance that a reasonable time for completing an internal review is 20 working days from the date of the request; in a small number of cases it might be reasonable to take longer, but in no case should the time taken exceed 40 days.

Today the Information Commissioner’s Office (ICO) has issued a press release about a Practice Recommendation addressed to Greater Manchester Police (GMP) dated 31st March 2009.   The Recommendation expresses concern both about the time taken by GMP to deal with internal reviews (over 150 working days in one case) and the apparent inaccuracy of some of the information provided to the ICO by GMP.  The Commissioner recommends that GMP should take steps to ensure its future compliance with the time limits in the ICO’s February 2007 guidance.   Paragraph 52 of the recommendation is significant, emphasising the ICO’s willingness to take formal action where there is continuing non-compliance with the Code. 

Incidentally, although the Practice Recommendation refers to the ICO’s February 2007 guidance, new guidance about internal reviews (dealing with both FOIA and EIR) was issued on 16th February 2009.  A useful summary of recent guidance issued by the ICO is available here, courtesy of the FOI blog maintained by the Campaign for Freedom of Information.

I am grateful to Andrew Smith (currently a pupil at 11KBW) for drawing the Practice Recommendation to my attention and helping to draft this post.

Tags: , ,
Posted in INFORMATION LAW | Comments Off on Reviewing the situation

The Age of Internet Surveillance

April 6th, 2009 by Anya Proops

With effect from today, all UK internet service providers (“ISP”) will be required to retain data relating to every email which is sent and every online telephone call which is made using their services. The data, which must be stored by ISPs for 12 months, will not include the content of the email or the call. It will however include the date, time, duration and routing of the online communication as well as information as to the internet subscriber or user. The obligation to retain this data is imposed under the Data Retention (EC Directive) Regulations 2009 (“the Regulations”). The regulations were enacted in order to bring into effect the provisions of the Data Retention EU Directive 2006/24/EC. The Directive was itself enacted in response to concerns that a lack of consistency of approach to data collection across Europe, particularly in the field of internet communications, was hampering the fight against crime, including international terrorism. The effect of the Regulations, which come into force today, is that the data retention principles which already apply to telecoms providers under the Data Retention (EC Directive) Regulations 2007 will now also apply to internet providers. As well as retaining the communications data, the internet service provider must afford access to particular data where they are required to do so by law (regulation 7). They must also abide by certain principles relating to the protection and security of the data (regulation 6).

Tags: , , , ,
Posted in INFORMATION LAW | Comments Off on The Age of Internet Surveillance

Recruiting the iPod generation

April 6th, 2009 by Timothy Pitt-Payne QC

In an article in today’s Financial Times, Benjamin Akande of Webster University talks about the “iPoders” – the generation born between 1982 and 2000.  He describes a generation of technology addicts, using the internet as its first resort for information-gathering, and nurturing personal relationships through social networking and twittering.  According to Akande, as it enters the workforce this cohort will be looking for organisations that share its appetite for technological innovation. 

One issue that Akande doesn’t discuss is how iPoders view their personal privacy.  How will they react if their technology-aware future employers treat Facebook and MySpace as a legitimate part of pre-recruitment due diligence?  It’s often suggested that today’s 20-somethings are deeply relaxed about information privacy.  A more realistic view may be that, as early adopters of social networking technology, they are learning the hard way about the implications of putting personal information online.  In 2007, Oxford University students were outraged when photographs on Facebook were used in order to crack down on post-exam celebrations. 

At the same time, employers need to be cautious about googling their job applicants.  For instance, interview panels know not to ask questions about any plans for starting a family.  But what if one of the interviewers finds out information of this kind, from his online researches into the candidates?  Unless the information is wholly disregarded, there is an obvious risk of a discrimination claim if the candidate is rejected.

Tags: , ,
Posted in INFORMATION LAW | Comments Off on Recruiting the iPod generation

« Older Entries
Newer Entries »