… and then two come along at once.

On 21st March 2013 the House of Commons Justice Committee published a report about the ICO (see our earlier post here), recommending, among other matters, that the ICO should be given the power to carry out compulsory data protection audits of NHS Trusts and local authorities. With uncanny speed, on 25th March 2013 the Ministry of Justice (MOJ) published a consultation document on the proposed extension of the ICO’s compulsory audit powers to cover NHS bodies. Despite the coincidence of timing, the MOJ’s proposal is not in fact a response to the Justice Committee’s report, but is prompted by a recommendation from the ICO itself.

The MOJ’s consultation document asserts that significant data protection compliance problems exist within the NHS. Over the last six calendar years (2007-2012) the ICO has received over 5,000 data protection complaints from individuals about the health sector: the only sectors that have generated more complaints over that period are lenders, local government, and general business. During the same period, the NHS self-reported over 500 data security breaches to the ICO. The MOJ document gives six examples of monetary penalty notices against NHS bodies, for amounts ranging between £60,000 and £325,000.

The ICO can already carry out consensual audits of NHS bodies; the MOJ document refers to a number of issues that have been highlighted as a result of these, including the use of unencrypted mobile media holding sensitive personal data. Most NHS consensual audits have come about as a result of referrals from the ICO’s Enforcement team, but of the NHS organisations referred for audit by Enforcement only 53% have agreed. This compares unfavourably to the 71% level of agreement for the public sector as a whole.

A compulsory audit can be initiated by the ICO serving an “assessment notice” under DPA section 41A. Where this power exists, data controllers can still agree to consensual audits; and according to the MOJ report, no assessment notices have yet been served, because 100% of data controllers covered by the existing scope of section 41A have agreed to an audit when asked to do so by the ICO. In other words, the mere existence of the power of compulsory audit has been enough to secure compliance, meaning that so far there has been no need for the ICO to use the power.

The MOJ’s proposal to extend the power of compulsory audit does not require primary legislation: it would be given effect by an order made by the Secretary of State under section 41A(2)(b) of the Data Protection Act 1998. All public authority data controllers in the NHS would be covered, throughout the UK. In other words, the proposal would cover all NHS bodies listed in Part III of Schedule 1 to the Freedom of Information Act 2000 (likely to be amended following NHS reforms in England), and all Health Service data controllers in Scotland listed in Part 4 of Schedule 1 to the Freedom of Information (Scotland) Act 2002. Note that the proposals will not cover private or third sector health bodies providing services to the NHS, though the MOJ document refers to the possibility of a further order to include these bodies at a later date.

The consultation will remain open until 17th May 2013.

Timothy Pitt-Payne QC

On 21^st March 2013 the House of Commons Justice Committee published a report (HC 962) on the functions, powers and resources of the Information Commissioner.  It is essential reading for anyone interested in understanding the current role and future prospects of the Information Commissioner’s Office (ICO).

The Committee monitors the Ministry of Justice’s associated public bodies, and as part of this remit it maintains a close interest in the ICO.  On 5th February 2013 the Committee held an oral evidence session with the Commissioner and his two deputies; it also received written evidence and supplementary information from the ICO.  The report reflects this oral and written evidence.

The report begins by looking at the finances of the ICO in an era of public sector austerity.   The ICO performs two separate areas of work, differently funded.  Freedom of information (FOI) work is paid for by grant-in-aid from the Ministry of Justice, while data protection work is financed by the notification fee payable by data controllers under the Data Protection Act 1998 (DPA).  The Commissioner is restricted in terms of “virement” – i.e. in general he cannot use DPA resources to fund FOI work, or vice versa.

As one would expect, freedom of information funding has been affected by the general pressures on public expenditure:  the income for this work has been cut from £5.5 million in 2011-12 to £4.25 million in 2012-13, with the ICO planning for further cuts in 2013-14.  Despite these cuts, the ICO has increased the amount of FOI casework completed, and reduced its backlog in this area.  The Committee is impressed by the ICO’s success in this regard, while warning that further budget cuts would risk adversely affecting performance.  The Committee suggests that the rules about virement should be relaxed.

The suggestion that DPA income might be used to subsidise FOI work seems a sensible one.  There is considerable overlap – FOI cases about personal data are a very important source of DPA case law.  However, it is disappointing that the Committee did not tackle more directly the question of whether FOI budget cuts make sense.  An effective FOI regime is a weapon against waste and fraud, and can help keep public expenditure under control.  The sums involved are modest, in the overall expenditure context – even the 2011-12 figure represents less than 10p per head of UK population.  It is, at the very least, worth considering whether cutting FOI funding is a false economy.

At first sight the funding position for DPA work seems significantly better.  The notification fee generates an annual income of some £15 million, over three times the FOI grant-in-aid.  The problem is that the EU’s proposed Data Protection Regulation would abolish the notification fee, while at the same time imposing a wide range of additional functions on the ICO.  The Committee suggests that the combined effect of these proposals would leave the ICO with a DPA funding shortfall of over £42 million.  The position is made yet more difficult by the recommendations in the Leveson Report as to the future role of the ICO in relation to the press, which are a further source of potential demands on the ICO’s budget.  The Committee suggests that the Government needs to find a way of retaining a fee-based self-financing system for ICO work, despite the current EU proposals.

Turning to the structure of the ICO, the Committee discusses the suggestion in the Leveson report that there should be an Information Commission led by a Board of Commissioners, rather than a single Information Commissioner.  The Committee disagrees:  it prefers the current model, with a single Commissioner taking personal accountability for the ICO’s work.  The Committee also addresses the independence of the ICO.  It recommends that the ICO should become directly responsible to and funded by Parliament, so as to guarantee its independence from the Executive.  However, the Committee does not suggest that the ICO’s independence has in fact been compromised in the past by its institutional relationship with the Ministry of Justice.

As to the ICO’s statutory powers under the DPA, the Committee makes recommendations in two areas.

In relation to the criminal offence under DPA section 55, the Committee suggests that this should be made recordable – that is, convictions should be recorded on the Police National Computer and hence included in any future checks relating to the individual’s criminal record.  The Committee also calls on the Government to bring into force section 77 of the Criminal Justice and Immigration Act 2008, so as to allow custodial sentences to be imposed for breach of DPA section 55.  The Committee sets out  – at §43 of its report – a list of other offences carrying custodial penalties for which those who breach DPA section 55 might be convicted:  for instance, there is the offence of unauthorised access to computer material, under the Computer Misuse Act 1990.  The Committee does not, however, regard the existence of these other offences as an adequate substitute for custodial penalties under DPA section 55.

In relation to the Commissioner’s audit powers, the Committee considers that as a general rule public sector organisations should accept an offer of a free DPA audit from the Commissioner.  It recommends that the Commissioner’s power of compulsory audit under DPA section 41A should be extended to NHS Trusts and local authorities.

Timothy Pitt-Payne QC

In Catt v ACPO and others; T v Commissioner of Police of the Metropolis and another [2013] EWCA Civ 192, the Court of Appeal considered two appeals regarding the powers of the police to collect and retain personal information about members of the public.  Both cases turned on the application of Article 8 of the Convention; in both, the Court held that there had been an interference with the Article 8(1) right to respect for private life, and that the interference was not justified under Article 8(2).

The retention of personal information by the police has given rise to extensive litigation in recent years:  see e.g. Chief Constable of Humberside and others v Information Commissioner [2009] EWCA Civ 1079 (retention of conviction information on police national computer); and S and Marper v UK [2008] ECHR 1581 (operation of national DNA dabatase).  Although the Humberside case concerned the Data Protection Act 1998, since it arose out of enforcement action taken by the Information Commissioner under that Act, most of the cases have turned on the application of Article 8.  A recurring issue, and one on which the Catt case is especially important, is whether and in what circumstances the recording and retention of information about events taking place in public will constitute an interference with the Article 8 right to respect for private life.

The first appeal concerned Mr. John Catt, described in the judgment of the Court as someone who “over a long lifetime has been an ardent and frequent protestor against what he sees as a variety of forms of injustice”.  He had attended public demonstrations organised by “Smash EDO”, a group campaigning against a weapons manufacturer operating on the outskirts of Brighton.  Some of the core supporters of Smash EDO were prone to violence and criminal behaviour, but Mr. Catt had not been convicted of criminal conduct of any kind in connection with any demonstration that he had attended.  Personal information about Mr. Catt was held on the National Domestic Extremism Database, mostly consisting of reports by police officers attending Smash EDO demonstrations.  Mr. Catt had not been the specific target of observations, but was referred to incidentally in descriptions of what the police at the scene had observed.  It appeared that this information was to be retained indefinitely.

In judicial review proceedings, Mr. Catt contended that the continued retention of this information about him constituted an unjustified interference with his Article 8 rights.  His claim was rejected by the Divisional Court.

The second appellant, referred to as Ms T, was served with a police warning letter following an allegation that she had directed a single homophobic insult against the friend of a neighbour.  She denied the allegation; in judicial review proceedings based on an alleged infringement of her Article 8 rights, she sought an order that the police should destroy their copy of the warning letter and remove from their records all references to the decision to serve it.  Again, her claim failed at first instance.  Before the appeal hearing the police reviewed the information and decided to expunge it, but the Court of Appeal nevertheless heard and determined the appeal because of the importance of the issues raised.

The judgment in Catt begins with a survey of recent developments in relation to Article 8. This part of the judgment is likely to become an important reference point in any future cases about the retention and use of police information.

As to the circumstances in which there would be an interference with the Article 8(1) right, the Court began by referring to the observation of Lord Nicholls in Campbell v MGN Ltd [2004] UKHL 22, that the touchstone of private life is whether in respect of the disclosed facts the person in question had a reasonable expectation of privacy.  However, recent cases showed that the position was more complex.  Even information of a public nature could become private over the course of time, as memories faded.  Moreover, the storage and use of personal information gathered from open sources could nevertheless involve an interference with private life.

In relation to justification under Article 8(2), the Court reiterated the three well-known requirements that the conduct in question must be in accordance with the law; carried out in pursuit of a legitimate aim; and proportionate to the aim sought to be achieved.  The issue of “legitimate aim” did not cause any difficulty in the present cases: the police were acting to prevent disorder and crime, and protect the rights and freedoms of others.  In cases about the collection and retention of personal information about private individuals, the issues of legality and proportionality were closely related.  As to proportionality, the overriding principle was that there should be a fair balance between the personal interest of the claimant in maintaining respect for his public life, and the pursuit of a legitimate aim in the interests of the public at large.  The Court needed to pay careful attention to the nature of the information in question, the circumstances in which it could be obtained, the ways in which it could be processed and by whom, the period of retention, and the arrangements for its destruction.

Applying these principles to Mr. Catt’s case, the first issue was whether there was any interference with his right under Article 8(1).  The Divisional Court had held that there was not:  none of those attending the Smash EDO demonstrations can have had a reasonable expectation of privacy, since it was of the essence of such activity that it was of a public nature.  The Court of Appeal took a different approach, focusing on the collection and retention of data about Mr. Catt rather than on the public nature of his activities at the demonstrations themselves.  The processing and retention of even publicly available information could constitute a interference with Article 8 rights, especially when the information was subjected to systematic processing and entered on a database that was searchable by reference to specific individuals.

Turning to the issue of justification under Article 8(2), the Court focused on the issue of proportionality.  It accepted that the police needed to obtain a better understanding of how Smash EDO was organised, so as to anticipate its future conduct and tactics.  However, the Court did not consider that the information held about Mr. Catt was of sufficient value to justify its retention.  It commented that the police appeared to be recording the names of any persons they could identify at Smash EDO demonstrations, regardless of the nature of their participation.  The retention of Mr. Catt’s information on the database was therefore an unjustified interference with his Article 8 rights, and hence was unlawful.

As to the second case, that of Ms T, the Court held that the action of the police in issuing the warning letter did not in itself amount to an interference with her Article 8(1) rights, but that the retention in police records of a copy of the letter, and information describing the circumstances in which it had been issued, did constitute an interference. While the retention of this information for a short period was justified, it was hard to see how retention for more than a year or so could be of any value. If the information had not been destroyed before the appeal hearing, then its continued retention woud have been disproportionate.

The message from both cases is that, even where events take place in public, the recording and retention of information about them can interfere with the right to respect for private life.  The Court is especially concerned with the sitation where information is retained indefinitely on databases where it is searchable by reference to individual names.  In relation to justification, the cases suggest that the Court will scrutinise closely both the precise nature of the information retained, and its value for policing purposes.  The analysis in Catt will be an essential starting-point in any future consideration of how Article 8 applies to police use of information.

In the latest round of the legal and political boxing match that the Evans case has become, the Upper Tribunal (“UT”), chaired by Walker J, has decided that the government should release its “schedules and lists” of “advocacy correspondence” between Prince Charles and various government departments (see the judgment here).

The UT had previously determined, in September 2012 (see Robin Hopkins’ post) that the government should release the “advocacy correspondence” it had received from Prince Charles and which had been requested by Mr Evans as long ago as 2005. The UT had not, though, issued a substituted decision notice pursuant to that determination because it had sought the parties’ further submissions on the question of appropriate redactions to the correspondence in question.

Before any further submissions had been made, however, the Attorney General had issued a veto under s 53, which veto renders the UT’s determination in relation to the “advocacy correspondence” of no effect*. (See Christopher Knight’s previous post.)

One might have thought that that would be the end of the matter so far as the UT was concerned. However, there was a second part of Mr Evans’ request which had not been ruled on substantively as part of the UT’s decision of September 2012. As well as requesting the actual correspondence, Mr Evans had requested lists and schedules of that correspondence. At the substantive hearing, Mr Evans had conceded that, if the UT found in his favour in relation to the actual correspondence there would be no need for it to go on to consider his “lists and schedules request” because he would, if in possession of that actual correspondence, be able to produce such lists and schedules himself.

Faced with the government’s veto annulling his victory with regards to the actual correspondence, Mr Evans applied to the UT inviting it now to rule on his “lists and schedules request”. The government, represented by Jonathan Swift QC and Julian Milford, argued that the UT had no power to reopen its previous decision, contending that the UT had in its September 2012 decision made a final determination that it was unnecessary to make a substantive ruling on the “lists and schedules request”. The Information Commissioner, represented by Tim Pitt-Payne QC, agreed with the government. All parties, including Mr Evans, agreed that the limited express powers that the UT has to review its own decisions did not apply in this case.

However, Mr Evans argued that none of this mattered: he said he was not asking the UT to review its decision, or to reopen it. He was simply asking the UT to decide a part of his appeal that it had not yet decided. The UT agreed.

It went on to find that, for the same reasons as it had considered the actual correspondence should be disclosed, the lists and schedules should be disclosed. The UT said that the only difference in terms of the balance of public interests so far as the lists and schedules were concerned was that both the public interest in disclosing the information and the public interest in maintaining the exemptions relied upon were less than with the actual correspondence. Overall, though, the balance was still the same and the lists and schedules should be disclosed.

We will now have to wait and see whether the government will deliver a further punch in the form of a second veto.

The government may not, however, have the last word since Mr Evans has commenced judicial review proceedings challenging the use of the veto in this case – proceedings which will be the first such challenge to the use of the veto.

Holly Stout

* There is a question mark about the effect of the veto in this case as the power of veto in s 53(2) is drafted by reference to a ‘decision notice’, but the UT had not in fact issued a substitute decision notice at the point that the veto was exercised. This is not a point that the UT needed to address in this decision, and it appears it will probably not be dealt with as part of the judicial review proceedings either.

By Julian Milford

The First-Tier Tribunal (“FTT”) has just issued the first ever tribunal decision concerning the application of the Data Protection Act 1998 (“DPA”) to surveillance activities: Southampton City Council v The Information Commissioner EA/2012/0171, 19 February 2013. In this case, the Council’s licensing committee had resolved in 2009 that all taxis it licensed should be fitted with digital cameras, which made a continuous audio-visual recording of passengers.  The Information Commissioner (“ICO”) issued an enforcement notice against the Council under the DPA, requiring the Council to stop audio recording, because it was in breach of the Data Protection Principles in the Act (the first Data Protection Principle in particular).

The Council appealed to the FTT. It accepted that words recorded by the equipment were “personal data” for the purposes of the DPA, and the very act of recording was a form of “processing” by the Council under the Act. What the Council disputed was (1) the conclusion that the policy involved the processing of “sensitive personal data” as well as personal data; and (2) the ICO’s finding that the recording and retention of audio data was a disproportionate interference with passengers’ privacy rights under Article 8 of the European Convention.

On both points, the FTT found in favour of the ICO. The FTT said that it was “unrealistic” to contend that the policy did not involve the processing of “sensitive personal data”: taxi users would undoubtedly from time to time discuss their own and others’ sex lives, health, politics and so on. The FTT also agreed with the ICO that although the processing served the legitimate aims of promoting public safety, preventing crime, and protecting persons, it was not proportionate. The FTT observed that there were two important points to note. First, the legitimate aim could only be directed at “taxi-related” crime: the fact that police had been able to obtain useful evidence about other crimes could not therefore come into the balance as a benefit. Secondly, the relevant benefits and disbenefits were only the marginal ones coming from audio recording, because no complaint was made about CCTV in taxis. Against that background, the policy’s significant interference with privacy rights outweighed any resulting benefits. The FTT was particularly impressed by arguments about “function creep” i.e. the use of the system for other purposes by (say) the police; and by the danger that someone would access and make improper use of the very extensive recorded information. Finally, the FTT said that the ICO was entitled to serve an enforcement notice, given the high public importance of the case.

Plainly, this is a significant decision, whose principles can be read across to a range of surveillance activities carried out by public bodies.

Timothy Pitt-Payne QC and Anya Proops of 11KBW appeared for Southampton City Council and the ICO respectively.