High Court to consider Data Protection Act bid to halt reporting of corruption allegations

February 10th, 2014 by Jason Coppel QC

Can the Data Protection Act 1998 (“DPA”) be used to prevent a respected NGO from reporting allegations of corruption by a multi-billion dollar international mining conglomerate?  That is the stark question posed by Steinmetz and others v Global Witness Limited, a recently issued High Court DPA Claim. 

Depending on which side of the litigation you are on, the Claim is an orthodox, if novel, attempt to stop the reporting of unfounded and damaging allegations of corruption brought by individuals whose names have been mentioned in accounts of those allegations.  Or an abusive attempt to prevent legitimate, public interest reporting, which threatens to censor the investigative and reporting activities of a vast swathe of NGOs.  

The Claim has been brought against the NGO Global Witness by four individuals reportedly associated with BSG Resources Limited (“BSGR”), a mining conglomerate whose interests include 50% of the Simandou iron ore reserve in Guinea.  Global Witness is a Nobel-prize nominated organisation which investigates and reports on natural-resource related conflict and corruption around the world.  Since November 2012, it has reported allegations that BSGR’s share in the Simandou reserve, one of the largest and most valuable in the world, was obtained by corruption.  These corruption allegations are currently being investigated by the Government of Guinea and by a US Federal Grand Jury.

The four Claimants are individuals who claim links with BSGR, and have been named by Global Witness in its reporting on the Guinea corruption allegations.  They include Beny Steinmetz, reported by the international media to be the founder of BSGR.  The four have made subject access requests under s. 7 DPA to obtain any personal data about them which is being held by Global Witness, have complained to the Information Commissioner (“ICO”) about non-compliance with their requests, and have now issued proceedings making various DPA claims against Global Witness, seeking declarations, disclosure, deletion of personal data and damages. http://www.bsgresources.com/bsgr-guinea/bsgr-guinea-analysis-reports/claim-filed-against-global-witness/

If successful, the Claim would prevent Global Witness from continuing to investigate and to report on the corruption allegations in connection with BSGR, and indeed from investigating and reporting on any similar allegations in the future.  The relief sought from the Court includes, in particular: 

          An order under s. 7(9) DPA that Global Witness discloses all of the personal data held about the Claimants.  Mr Steinmetz maintains that any data relating to BSGR is necessarily his personal data, and similar but less expansive claims are maintained by the other Claimants. 

          An order under s. 10 DPA that Global Witness ceases to process any of the Claimants’ personal data (which would mean, on the Claimants’ case, that it could not report any allegations about BSGR).  This relief is founded, in part, upon an allegation that the data was obtained from a person or persons who were not authorised to provide it and so invites the Court to investigate Global Witness’s sources. 

          An order pursuant to s. 14 DPA that Global Witness rectifies, blocks, erases or destroys data held which the Court is satisfied is inaccurate.  This claim seeks to use the DPA in effect to mimic a claim for libel, inviting the Court to make findings on the truth of the corruption allegations reported by Global Witness.  

          Damages for distress etc. caused to the Claimants.

For its part, Global Witness maintains that the Claim has been brought for collateral and illegitimate purposes and is an unwarranted attack on its freedom of expression.

Section 32 DPA exempts from each of the provisions relied upon by the Claimants data which are processed “only for”  “journalistic purposes”.   So a similar claim could not be maintained against an organisation like a newspaper which was engaged only in journalistic activities.  But the Claimants will presumably contend that because Global Witness is not a journalistic organisation but also engages in, for example, campaigning activities, s. 32 does not apply to their personal data which it holds.  If that is correct, the reporting activities not just of Global Witness but of a whole range of NGOs who campaign as well as engage in what they regard as public interest reporting could be subject to similar attack in reliance upon the DPA. Global Witness argues that it is not correct, and will rely upon the s. 3 Human Rights Act 1998 duty to interpret s. 32 DPA in a manner which is compatible with its freedom of expression.  So the Claim raises the stark issue of how the balance is to be struck under the DPA between the privacy rights of the Claimants and the freedom of expression of Global Witness.  Global Witness intends to apply to stay the proceedings pursuant to s. 32(4) DPA in a little-known  procedure which would require the ICO to decide on the application of s. 32 to the disputed data.  Other defences pursued by Global Witness also rely upon its right to freedom of expression under Article 10 ECHR.

Section 32 DPA is a relatively unexplored provision so far as UK courts and tribunals are concerned.  But it was subject to the detailed consideration by the Leveson Inquiry, which has in turn resulted in the ICO taking a close interest in its application.  The ICO is proposing to issue guidance to media organisations on their reliance upon s. 32:

http://ico.org.uk/news/latest_news/2014/~/media/documents/library/Data_Protection/Research_and_reports/data-protection-and-journalism-a-guide-for-the-media-draft.pdf The outcome of the Global Witness litigation will no doubt have a significant influence on the position ultimately adopted by the ICO.

Even if the Claim is ultimately unsuccessful, the prospect of expensive High Court litigation against individuals with deep pockets could have a chilling effect on the activities of NGOs like Global Witness.  It remains to be seen how the Courts and the ICO will react to what Global Witness argues to be an abuse of the DPA in order to attack legitimate, public interest investigation and reporting which would be protected from such attack if carried out by a traditional news organisation.

Anya Proops of 11KBW represents Global Witness, instructed by Mark Stephens of HowardKennedyFsi

Jason Coppel QC

Tags:
Posted in INFORMATION LAW | Comments Off on High Court to consider Data Protection Act bid to halt reporting of corruption allegations

Use of disclosed documents

February 7th, 2014 by James Goudie QC

The important general principle is of course that a party to whom a document has been disclosed in litigation may use that document only for the purpose of the proceedings in which it is disclosed.  There are, nonetheless, three significant exceptions to that principle, set out in CPR r31.22(1).  They are (a) where the document has been read to or by the Court, or referred to, at a hearing which has been held in public; (b) where the Court gives permission; or (c) where the party who disclosed the document and the party to whom the document belongs agree.   However, r31.22(2) provides that the Court may make an Order restricting or prohibiting the use of a document which has been disclosed, even where the document has been read to or by the Court, or referred to, at a hearing which has been held in public.  An application for such an Order was considered by the High Court in Smith & Nephew PLC v Convatec Technologies Inc [2014] EWHC 146 (Pat).  Birss J granted a Permanent Order prohibiting the use after trial of certain documents which had been disclosed during patent infringement proceedings.  The documents covered by the Order included those which made reference to commercial strategy or to manufacturing processes.  The nature and details of the claimants’ secret processes had to be explored in the proceedings.  Justice could not be done without it.  A number of those documents played a crucial role in Court, but the outcome could be understood without them.  The documents covered by the Order did not, however, include documents which related to the claimants’ dealings with regulatory authorities, which went to a springboard injunction question.  Although the claimants had built up very substantial experience and know-how in dealing with regulatory authorities, disclosure of those documents would not reveal that know-how or damage the claimants at all.

An Order restricting use of disclosed documents referred to in Court is consistent with it being “highly desirable” (para 11) to avoid trials in private or partly in private, as was recently reiterated by Lord Neuberger in Bank Mellat v H. M. Treasury [2013] UKSC 38 at para 2.

Posted in INFORMATION LAW | Comments Off on Use of disclosed documents

11KBW Information Law Conference, 18th March 2014

February 6th, 2014 by Panopticon Blog

11KBW is very pleased to announce that its annual Information Law Conference will be held on 18th March 2014 at the Royal College of Surgeons of England. The conference will cover a range of topical issues including surveillance law in the post-Snowden world, the relationship between information rights and the Article 10 right to freedom of expression and the controversial role played by the FOIA veto.  The conference will also include case-law updates on FOIA, the EIR and the DPA. This year we are delighted to welcome Upper Tribunal Judge Nicholas Wikeley as our keynote speaker.

The full programme can be accessed here.

CPD

The conference will be accredited 4.5 hours CPD – SRA/BSB

Cost

£99 + VAT (20%) = £118.80 to attend half day plus lunch

£150 + VAT (20%) = £180.00 to attend full day

How to Book

To book your place on this conference please email RSVP@11kbw.com with the delegate name, firm, email address and any purchase order details you may require. You will be then sent a confirmation email of your place and invoiced. We do not have the facilities to accept payments by credit or debit cards.

Tags:
Posted in INFORMATION LAW | Comments Off on 11KBW Information Law Conference, 18th March 2014

Closed procedure guidance: the Browning version

February 4th, 2014 by Robin Hopkins

Reference to closed material is inherent in FOIA litigation. Some element of closed procedure is usually also needed. But how are these closed aspects to be approached so as to accord with principles of justice, fairness and openness?

I blogged last year on the case of Browning v IC and DBIS [2013] 2 Info LR 1, in which the Upper Tribunal appeared to answer those questions. A curious feature of that judgment was that the Upper Tribunal said it was not giving guidance on closed material/procedures, whereas the substance of its judgment seemed to contain precisely that.

The coming months will bring greater clarity. The Court of Appeal has recently given permission to appeal in Browning.

Panopticon understands that the appeal is likely to be heard in the first half of 2014, that it will be heard by three Lord/Lady Justices of Appeal and that consideration is to be given to including among those three the Master of the Rolls or the Vice-President of the Court of Appeal (Civil Division). All of these factors seem to point towards the considerable importance which is – rightly – being attached to the issues concerning closed material and procedures in FOIA/EIR litigation.

Panopticon will report further – on an open basis – in due course.

Robin Hopkins @hopkinsrobin

Tags: , , , , ,
Posted in INFORMATION LAW | Comments Off on Closed procedure guidance: the Browning version

George Osborne, Nigel Lawson and FOIA – political vs official information

January 20th, 2014 by Robin Hopkins

Government ministers wear two hats (apart from Vince Cable – he seems to like hats, and probably has quite a few). They are public officials, but they are also party politicians. Both of those activities are likely to generate recorded information. FOIA extends to the official information, but not the party political. This is well established in principle, but not straightforward to apply, since the two categories will often overlap. It is also surprisingly untested before Tribunals. Michael Gove was due to test the principle in a 2012 appeal, but that was withdrawn.

The issue has now been considered by the Tribunal in Brendan Montague v IC and HM Treasury (EA/2013/0074): 029 070114 Final Decision EA-2013-0074. The information in dispute was a record of a telephone conversation which took place on a Sunday morning in September 2011 between the Chancellor of the Exchequer, George Osborne, and one of his predecessors, Lord Lawson.

The ICO’s position (and that of HMT) was that some of that information was predominantly party political in nature and was thus not held by HM Treasury for FOIA purposes. The remainder was exempt under section 35(1)(a), i.e. insofar as official business was being discussed, it related to the formulation or development of government policy, and the public interest favoured maintaining the exemption.

The Tribunal disagreed on the first point: while it accepted the principle, it had “no hesitation” in concluding that all of the disputed information in this case was held by HMT for official purposes rather than Mr Osborne’s party-political ones. It was not attracted by dissecting and partitioning the record between the party-political and the official in this instance, and it favoured a restrictive approach to a principle by which information could be taken outside of FOIA’s reach.

On the section 35(1)(a) point, the Tribunal agreed that there was a need for a safe space, given the high-level economic policy issues – including concerning the banking sector – which were being discussed. It was satisfied that the disputed information did not indicate that any impropriety or lobbying was at play.

I appeared for the ICO; my colleague Julian Milford appeared for HMT. No further analysis from me, given my involvement in the case, but I post it here because of the relative novelty of the political/official information point which, one suspects, will rear its head in other cases in future.

Robin Hopkins @hopkinsrobin

Tags: , , ,
Posted in INFORMATION LAW | Comments Off on George Osborne, Nigel Lawson and FOIA – political vs official information

Personal data and fitness to practice investigations – Tribunal overturns ‘neither confirm nor deny’ position

January 17th, 2014 by Robin Hopkins

When an identifiable individual has been the subject of a formal complaint about their competence or conduct, that fact constitutes their personal data. In terms of privacy/publicity decisions, such situations are often approached in this way: where the complaint is well founded or at least merits serious consideration, publication is warranted, but otherwise confidentiality is maintained, lest unjustified aspersions be cast against that person.

In that respect, the process outlined by the Tribunal in Foster v IC (EA/2013/0176) – which concerned a complaint to the Nursing & Midwifery Council – is typical:

“The complaints procedure administered by the NMC has two stages. The first stage is designed to determine whether or not the matter should be referred to the NMC’s Fitness to Practice Panel. If it is, then the Panel will meet in public and its decision will be made publicly available. But if the complaint does not proceed beyond the first stage, (either because a decision is made not to investigate or because the NMC’s Investigating Committee Panel concludes that the complaint does not justify a reference to the Fitness to Practice Panel), then the process remains confidential. The rationale appears to be that an individual’s professional reputation should not be undermined by the publication of allegations that are found not to have sufficient merit to justify being referred to the Fitness to Practice Panel”.

The Appellant, whose son died following his participation in a drug trial, considered that the NMC investigation in this case – which did not pass the first stage – may have been inadequate. She asked for information about its investigation into her complaint about a named practitioner.

The NMC adopted a ‘neither confirm nor deny’ position under section 40(5), i.e. it considered that to say whether or not it held information on a complaint about this individual would be to tell the world at large whether or not that person had been the subject of a professional complaint of this description. The ICO agreed, but the Tribunal overturned that decision, ordering the NMC to confirm or deny whether it held the requested information.

In reaching that view, the Tribunal – while not passing judgment on the merits of the complaint or the NMC’s investigation – considered the criticisms that had been made:

“If it were to be the case that any member of the care team had realised the error earlier, but had not raised the alarm until after its very sad consequences had become clear, then there would seem to us to be strength in the Appellant’s argument that the evidential basis for the decision of the NMC’s Investigating Committee Panel required investigation”.

In those circumstances, the Tribunal thought the fairness balance favoured confirming or denying whether the requested information was held:

“In reaching that conclusion we reject the Information Commissioner’s argument that it is always unfair, and therefore in breach of the Data Protection Principles, to make a statement that discloses the existence of a complaint of professional misconduct against an individual, where there has been no finding of wrongdoing or malpractice. That would create an inflexible test which prevented all relevant circumstances being taken into account. Nor do we accept the Information Commissioner’s argument that the limited degree of disclosure involved in a “confirm or deny” response would constitute unwarranted interference into X’s privacy, without satisfying a legitimate public interest in disclosure”.

Public authorities who routinely adopt a default ‘neither confirm nor deny stance’ of the type outlined at the start of this post will wish to note that, at least in some circumstances, that approach can be called into question.

Robin Hopkins @hopkinsrobin

Tags: , , ,
Posted in INFORMATION LAW | Comments Off on Personal data and fitness to practice investigations – Tribunal overturns ‘neither confirm nor deny’ position

The Google/Safari users case: a potential revolution in DPA litigation?

January 16th, 2014 by Robin Hopkins

I posted earlier on Tugendhat J’s judgment this morning in Vidal-Hall and Others v Google Inc [2014] EWHC 13 (QB). The judgment is now available here – thanks as ever to Bailii.

This is what the case is about: a group of claimants say that, by tracking and collating information relating to their internet usage on the Apple Safari browser without their consent, Google (a) misused their private information (b) breached their confidences, and (c) breached its duties under the Data Protection Act 1998 – in particular, under the first, second, sixth and seventh data protection principles. They sought damages and injunctive relief.

As regards damages, “what they claim damages for is the damage they suffered by reason of the fact that the information collected from their devices was used to generate advertisements which were displayed on their screens. These were targeted to their apparent interests (as deduced from the information collected from the devices they used). The advertisements that they saw disclosed information about themselves. This was, or might have been, disclosed also to other persons who either had viewed, or might have viewed, these same advertisements on the screen of each Claimant’s device” (paragraph 24).

It is important to note that “what each of the Claimants claims in the present case is that they have suffered acute distress and anxiety. None of them claims any financial or special damage. And none of them claims that any third party, who may have had sight of the screen of a device used by them, in fact thereby discovered information about that Claimant which was detrimental” (paragraph 25).

The Claimants needed permission to serve proceedings on the US-based Google. They got permission and served their claim forms. Google then sought to have that service nullified, by seeking an order declaring that the English court has no jurisdiction to try these particular claims (i.e. it was not saying that it could never be sued in the English courts).

Tugendhat J disagreed – as things stand, the claims will now progress before the High Court (although Google says it intends to appeal).

Today’s judgment focused in part on construction of the CPR rules about service outside of this jurisdiction. I wanted to highlight some of the other points.

One of the issues was whether the breach of confidence and misuse of private information claims were “torts”. Tugendhat J said this of the approach: “Judges commonly adopt one or both of two approaches to resolving issues as to the meaning of a legal term, in this case the word “tort”. One approach is to look back to the history or evolution of the disputed term. The other is to look forward to the legislative purpose of the rule in which the disputed word appears”. Having looked to the history, he observed that “history does not determine identity. The fact that dogs evolved from wolves does not mean that dogs are wolves”.

The outcome (paragraphs 68-71): misuse of private information is a tort (and the oft-cited proposition that “the tort of invasion of privacy is unknown in English law” needs revisiting) but breach of confidence is not (given Kitetechnology BV v Unicor GmbH Plastmaschinen [1995] FSR 765).

Google also objected to the DPA claims being heard. This was partly because they were raised late; this objection was dismissed.

Google also said that, based on Johnson v MDU [2007] EWCA Civ 262; (2007) 96 BMLR 99, financial loss was required before damages under section 13 of the DPA could be awarded. Here, the Claimants alleged no financial loss. The Claimants argued against the Johnson proposition: they relied on Copland v UK 62617/00 [2007] ECHR 253, argued for a construction of the DPA that accords with Directive 95/46/EC as regards relief, and argued that – unlike in Johnson – this was a case in which their Article 8 ECHR rights were engaged. Tugendhat J has allowed this to proceed to trial, where it will be determined: “This is a controversial question of law in a developing area, and it is desirable that the facts should be found”.

If the Johnson approach is overturned – i.e. if the requirement for financial loss is dispensed with, at least for some types of DPA claim – then this could revolutionise data protection litigation in the UK. Claims under section 13 could be brought without claimants having suffered financially due to the alleged DPA breaches they have suffered.

Tugendhat went on to find that there were sufficiently serious issues to be tried here so as to justify service out of the jurisdiction – it could not be said that they were “not worth the candle”.

Further, there was an arguable case that the underlying information was, contrary to Google’s case, “private” and that it constituted “personal data” for DPA purposes (Google say the ‘identification’ limb of that definition is not met here).

Tugendhat was also satisfied that this jurisdiction was “clearly the appropriate one” (paragraph 134). He accepted the argument of Hugh Tomlinson QC (for the Claimants) that “in the world in which Google Inc operates, the location of documents is likely to be insignificant, since they are likely to be in electronic form, accessible from anywhere in the world”.

Subject to an appeal from Google, the claims will proceed in the UK. Allegations about Google’s conduct in other countries are unlikely to feature. Tugendhat J indicated a focus on what Google has done in the UK, to these individuals: “I think it very unlikely that a court would permit the Claimants in this case to adduce evidence of what Mr Tench refers to as alleged wrongdoing by Google Inc against other individuals, in particular given that it occurred in other parts of the world, governed by laws other than the law of England” (paragraph 47).

Robin Hopkins @hopkinsrobin

Tags: , , , ,
Posted in INFORMATION LAW | Comments Off on The Google/Safari users case: a potential revolution in DPA litigation?

UCAS and the extent of FOIA: Tribunal favours wide approach

January 16th, 2014 by Robin Hopkins

Transparency advocates often express frustration at the number of bodies which are not within the scope of FOIA, because they are not listed or designated as ‘public authorities’ for FOIA purposes. The Coalition government responded by announcing, in January 2011, that FOIA would be extended to a number of additional bodies. This was done with effect from 1 November 2011, through the Freedom of Information (Designation as Public Authorities) Order 2011. This brought the Association of Chief Police Officers of England, Wales and Northern Ireland (ACPO); the Financial Ombudsman Service and the Universities and Colleges Admissions Service (UCAS) within the scope of FOIA.

As regards UCAS, the difficulty is that this was not done in a straightforward blanket way. In recognition of the diversity of UCAS’ functions, its amenability to FOIA was limited to information relating to the “provision and maintenance of a central applications and admissions service”. This frames UCAS’ duties in a positive way.

This is similar – but not the same as – the approach taken to the BBC, which is subject to FOIA “in respect of information held for purposes other than those of journalism, art or literature”. This frames the BBC’s duties in a negative way.

The Supreme Court in BBC v Sugar (No2) told us how to approach the extent of the BBC’s FOIA duties. How should Sugar be applied to the differently-worded UCAS provision?

This was the issue before the Tribunal in University and College Admission Service v IC and Lord Lucas (EA/2013/0124), the requester (the author of the Good Schools Guide) made a number of requests to UCAS about university admissions. Some were refused on section 12 (cost of compliance) grounds; the ICO agreed with UCAS that the remaining information was exempt under section 43(2) (prejudice to commercial interests). UCAS and the ICO disagreed, however, about the extent to which UCAS was subject to FOIA.

UCAS argued that Sugar required the Tribunal to consider whether the information was held, to any significant degree, for a purpose other than the designation (in particular, UCAS’s commercial functions), and if so, it fell outside the scope of FOIA.

The ICO argued that because the BBC and UCAS were in reverse positions (the BBC being subject to a specific exclusion, and UCAS subject to a specific inclusion), the question should be whether the information was held to any significant degree for the designated purpose, and if so, it fell within the scope of FOIA. Both parties argued that the other was turning Sugar on its head.

The Tribunal adopted the ICO’s analysis of Sugar. The primary purpose of the 2011 Order was to bring UCAS within the scope of FOIA and subject it to the principles of greater openness and transparency that such a designation was designed to bring: at [68]. The focus of the phrase “the provision and maintenance of a central applications and admissions service”, taken with section 7(5) FOIA, is on what is actually caught by FOIA and the purpose of that wording is specifically to include information: at [66].

In favouring this wider approach to the application of FOIA to UCAS, the Tribunal said this:

“71. Most persuasive is the IC’s point that, in construing the scope of the 2011 Designation Order, it is important to recall that Parliament would have been well aware of the existing exemptions provided in FOIA. There is no need to read the 2011 Designation Order narrowly to ensure there is no overlap with a commercial function of UCAS because section 43 FOIA itself provides protection to UCAS in relation to information which prejudices its commercial interests.

72. The approach of UCAS in this case would have the result that only admissions data relating to the currently live admissions round would fall within the scope of FOIA. This surprisingly narrow result is unlikely to have been the one intended by Parliament when designating UCAS as a public authority for FOIA, not least because the ‘”provision and maintenance of a central applications and admissions service” does not suggest such an outcome.”

11KBW’s Chris Knight appeared for the ICO.

Robin Hopkins @hopkinsrobin

Tags: , ,
Posted in INFORMATION LAW | Comments Off on UCAS and the extent of FOIA: Tribunal favours wide approach

Personal data: Tribunal analyses the ‘relates to’ and ‘identification’ limbs

January 9th, 2014 by Robin Hopkins

I have commented in previous posts on how infrequently the Data Protection Act 1998 has been the subject of substantive litigation before the courts. One consequence of this is persistent uncertainty over how pivotal concepts such as ‘personal data’ are to be analysed and approached.

Last year, the High Court in Kelway v The Upper Tribunal, Northumbria Police and the Information Commissioner (2013) EWHC 2575 (Admin) considered how ‘personal data’ issues should be approached – see for example this piece by Cynthia O’Donoghue of Reed Smith.

The Kelway approach is rather complicated; it remains to be seen whether it is picked up as any sort of guiding test. The imminent Court of Appeal judgment in the Edem case is also likely to add to the picture on how to determine whether information is personal data.

As things stand, such determinations are not always straightforward. Oates v IC and DWP (EA/2013/0040) is a recent example at First-Tier Tribunal level. Mr Oates was medically examined by in connection with his incapacity benefit claim by a doctor engaged by Atos Healthcare. He was dissatisfied and complained to Atos. At the ‘independent tier’ of its complaint investigation, Atos engaged an independent medical practitioner and also an external company tasked with reviewing Atos’ handling of the initial complaint. Mr Oates wanted to know, inter alia, the names of the medical practitioner and of the company.

The DWP refused, relying on FOIA exemptions (section 40(2) and section 43(2)). The ICO decided that the withheld names should have been handled under the DPA rather than FOIA. This was because, in the ICO’s view, the withheld names constituted Mr Oates’ personal data –thus, by section 40(1) of FOIA, it was exempt under FOIA. Mr Oates had to seek it by a subject access request under the DPA instead.

The DWP said these names were not Mr Oates’ personal data. The Tribunal agreed. As to the ‘relates to’ limb of the definition of personal data, it applied Durant v FSA [2003] EWCA Civ 1746: it found there to be sufficient distance between the complaints review procedure and Mr Oates’ personal privacy to mean that the information did not ‘relate to’ him for DPA purposes.

As to the ‘identification’ limb of the definition of personal data, the DWP had argued that Mr Oates could not be identified from these names alone and that it was not in possession of information to link Mr Oates to the requested names. The ICO argued that the request itself provided that link. In other words, by asking for information about his own assessment and complaint, Mr Oates was providing the DWP with information which linked him to the requested names and allowed him to be identified as the person who had been assessed and who had complained.

Its argument was this: “at the moment when the DWP received the Request, it was put into possession of all the information it needed to relate the information requested to an identifiable individual, namely Mr Oates himself. The fact that he sought information about individuals who had been involved in the assessment of his particular complaint created the necessary connection between himself and the requested information – it both related to him and he could be identified from it.”

The Tribunal did not agree with that ‘linking’ argument. It said this:

“… we reject the Information Commissioner’s suggestion that we should take into account the Request itself. We are satisfied that the correct approach is to consider the body of relevant information held by the public authority in question immediately before the request was received. If that information can be seen to relate to the individual, and to identify him or her, then the case for characterising it as that individual’s personal data is made out. But if it does not do so then it is not appropriate, in our view, to close the circle by taking into account the additional information (as to the name of the individual who is both requester and data subject) which is set out in the request itself, in order to.”

Therefore, the ‘identification’ limb of the definition of personal data was not met either. The requested names did not comprise Mr Oates’ own personal data and fell to be dealt with under FOIA rather than through the subject access provisions of the DPA.

The decision in Oates raises a number of questions. For example, on ‘relates to’, the Durant principles are intended to offer guidance in ‘borderline’ cases – implicitly therefore, the Tribunal in Oates appears to have considered this to be a borderline situation.

On ‘identification’, the Tribunal did not mention the principle from Common Services Agency v Scottish Information Commissioner [2008] UKHL 47; [2011] 1 Info LR 184 that the ‘other information’ which can assist with identification of the individual encompasses not only information held by the data controller, but also information held by any person.

This is not to comment on whether the Tribunal reached the right decision or not – rather, it illustrates that the definition and limits of ‘personal data’ continues to raise tricky questions.

11KBW’s Tom Cross appeared for the ICO in Oates.

Robin Hopkins @hopkinsrobin

Tags:
Posted in INFORMATION LAW | Comments Off on Personal data: Tribunal analyses the ‘relates to’ and ‘identification’ limbs

Legal analysis of individual’s situation is not their personal data, says Advocate General

December 18th, 2013 by Robin Hopkins

YS, M and S were three people who applied for lawful residence in the Netherlands. The latter two had their applications granted, but YS’ was refused. All three wanted to see a minute drafted by an official of the relevant authority in the Netherlands containing internal legal analysis on whether to grant them residence status. They made subject access requests under Dutch data protection law, the relevant provisions of which implement Article 12 of Directive 95/46/EC. They were given some of the contents of the minutes, but the legal analysis was withheld. This was challenged before the Dutch courts. Questions were referred to the CJEU on the application of data protection law to such information. In Joined Cases C‑141/12 and C‑372/12, Advocate General Sharpston has given her opinion, which the CJEU will consider before giving its judgment next year. Here are some important points from the AG’s opinion.

The definition of personal data

The minutes in question contained inter alia: the name, date of birth, nationality, sex, ethnicity, religion and language of the applicant; information about the procedural history; information about declarations made by the applicant and documents submitted; the applicable legal provisions and an assessment of the relevant information in the light of the applicable law.

Apart from the latter – the legal advice – the AG’s view is that this information does come within the meaning of personal data under the Directive. She said this:

“44. In general, ‘personal data’ is a broad concept. The Court has held that the term covers, for example, ‘the name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies’, his address, his daily work periods, rest periods and corresponding breaks and intervals, monies paid by certain bodies and the recipients, amounts of earned or unearned incomes and assets of natural persons.

45. The actual content of that information appears to be of no consequence as long as it relates to an identified or identifiable natural person. It can be understood to relate to any facts regarding that person’s private life and possibly, where relevant, his professional life (which might involve a more public aspect of that private life). It may be available in written form or be contained in, for example, a sound or image.”

The suggestion in the final paragraph is that the information need not have a substantial bearing on the individual’s privacy in order to constitute their personal data.

The AG also observed that “Directive 95/46 does not establish a right of access to any or every document or file in which personal data are listed or used” (paragraph 71). This resonates with the UK’s long-established Durant ‘notions of assistance’.

Legal analysis is not personal data

AG Sharpston’s view, however, was that the legal analysis of the individuals’ situations did not constitute their personal data. Her reasoning – complete with illustrative examples – is as follows:

“55. I am not convinced that the phrase ‘any information relating to an identified or identifiable natural person’ in Directive 95/46 should be read so widely as to cover all of the communicable content in which factual elements relating to a data subject are embedded.

56. In my opinion, only information relating to facts about an individual can be personal data. Except for the fact that it exists, a legal analysis is not such a fact. Thus, for example, a person’s address is personal data but an analysis of his domicile for legal purposes is not.

57. In that context, I do not find it helpful to distinguish between ‘objective’ facts and ‘subjective’ analysis. Facts can be expressed in different forms, some of which will result from assessing whatever is identifiable. For example, a person’s weight might be expressed objectively in kilos or in subjective terms such as ‘underweight’ or ‘obese’. Thus, I do not exclude the possibility that assessments and opinions may sometimes fall to be classified as data.

58. However, the steps of reasoning by which the conclusion is reached that a person is ‘underweight’ or ‘obese’ are not facts, any more than legal analysis is.”

Interestingly, her conclusion did touch upon the underlying connection between personal data and privacy. At paragraph 60, she observed that “… legal analysis as such does not fall within the sphere of an individual’s right to privacy. There is therefore no reason to assume that that individual is himself uniquely qualified to verify and rectify it and ask that it be erased or blocked. Rather, it is for an independent judicial authority to review the decision for which that legal analysis was prepared.”

In any event, legal analysis does not amount to “processing” for data protection purposes

The AG considered that legal analysis such as this was neither ‘automatic’ nor part of a ‘relevant filing system’. “Rather, it is a process controlled entirely by individual human intervention through which personal data (in so far as they are relevant to the legal analysis) are assessed, classified in legal terms and subjected to the application of the law, and by which a decision is taken on a question of law. Furthermore, that process is neither automatic nor directed at filing data” (paragraph 63).

Entitlement to data, but not in a set form

The AG also says that what matters is that individuals are provided with their data – data controllers are not, under the Directive, required to provide it in any particular form. For example, they can extract or transcribe rather than photocopy the relevant minute:

“74. Directive 95/46 does not require personal data covered by the right of access to be made available in the material form in which they exist or were initially recorded. In that regard, I consider that a Member State has a considerable margin of discretion to determine, based on the individual circumstances in case, the form in which to make personal data accessible.

75. In making that assessment, a Member State should take account of, in particular: (i) the material form(s) in which that information exists and can be made available to the data subject, (ii) the type of personal data and (iii) the objectives of the right of access.”

If the legal analysis is personal data, then the exemptions do not apply

Under the Directive, Article 12 provides the subject access right. Article 13 provides exemptions. The AG’s view was that if, contrary to her opinion, the legal analysis is found to be personal data, then exemptions from the duty to communicate that data would not be available. Of particular interest was her view concerning the exemption under Article 13(1)(g) for the “protection of the data subject or of the rights and freedoms of others”. Her view is that (paragraph 84):

“the protection of rights and freedoms of others (that is, other than the data subject) cannot be read as including rights and freedoms of the authority processing personal data. If a legal analysis is to be categorised as personal data, that must be because it is related to the private interests of an identified or identifiable person. Whilst the public interest in protecting internal advice in order to safeguard the administration’s ability to exercise its functions may indeed compete with the public interest in transparency, access to such advice cannot be restricted on the basis of the first of those two interests, because access covers only what falls within the private interest.”

If the Court agrees with the AG’s view, the case will be an important addition to case law offering guidance on the limits of personal data. It would also appear to limit, at least as regards the exemption outlined above, the data controller’s ability to rely on its own interests or on public interests to refuse subject access requests. That said, there is of course the exemption under Article 9 of the Directive for freedom of expression.

Robin Hopkins @hopkinsrobin

Tags: , ,
Posted in INFORMATION LAW | Comments Off on Legal analysis of individual’s situation is not their personal data, says Advocate General

« Older Entries
Newer Entries »