Court of Appeal gives judgment on credit reference agencies and accuracy of personal data

February 20th, 2013 by Robin Hopkins

The fourth data protection principle requires that “personal data shall be accurate and, where necessary, kept up to date”. It does not, however “impose an absolute and unqualified obligation on [data controllers] to ensure the entire accuracy of the data they maintain. Questions of reasonableness arise in the application of the fourth principle, as paragraph 7 of Part II of Schedule I spells out.” This statement by Davis LJ (at para. 80) encapsulates the case of Smeaton v Equifax plc [2013] EWCA Civ 108, in which the Court of Appeal handed down judgment today.

Equifax is a well-known credit reference agency. Between 22 May 2002 and 17 July 2006 Equifax included in its credit file concerning the Respondent, Mr Smeaton, an entry to the effect that he was subject to a bankruptcy order. This was incorrect – that order had been rescinded in 2002.

He was subsequently declined a business loan, with serious detrimental consequences for that business. He brought a claim against Equifax for those business losses and “other losses and distress consequent upon his descent into a chaotic lifestyle”.

Initially, his cause of action was defamation. By the time of trial in 2011, it had become (a) a claim under s. 13 of the Data Protection Act 1998, and (b) a parallel common law tort claim.

The judge, HHJ Thornton QC (having substantially amended the first draft of his judgment following submissions at handing down), found that Equifax had breached the fourth data protection principle (as well as the first and the fifth, though he had heard no argument on these points), that it owed Mr Smeaton a parallel duty in tort and that he had suffered losses as a result of these breaches.

The Court of Appeal disagreed in strong terms, Tomlinson LJ saying this at para. 11 about the judge’s approach and conclusions – particularly on causation:

“In retrospect it is I think unfortunate that the judge attempted to resolve the causation issue in principle, divorced from the question what loss could actually be shown to have been caused by the asserted breaches of duty. I have little doubt that Mr Smeaton believes in all sincerity that a good number of the vicissitudes that have befallen him can be laid at the door of Equifax, but a close examination of the relationship between the losses alleged and the breaches of duty found by the judge would perhaps have introduced something in the way of a reality check. Had the judge looked at both issues together he might I think have had a better opportunity to assess the proposition in the round. As it is, the judge’s conclusion that the breaches of duty which he identified caused Mr Smeaton loss in that they prevented Ability Records from obtaining a loan in and after mid-2006 is in my view not just surprising but seriously aberrant. It is without any reliable foundation and completely unsupported, indeed contradicted, by the only evidence on which the judge could properly rely.”

Turning from the facts of the case and the question of causation to the approach to the fourth data protection principle in general, Tomlinson LJ said this at para. 44:

“The judge was also in my view wrong to regard the mere fact that the data had become inaccurate and remained accessible in its inaccurate form for a number of years as amounting to a “clearly established breach of the fourth principle” – judgment paragraph 106. Paragraph 7 of Part II provides that the fourth principle is not, in circumstances where the data accurately records [erroneous] information obtained by the data controller from the data subject or a third party, to be regarded as contravened if the data controller has, putting it broadly, taken reasonable steps to ensure the accuracy of the data. A conclusion as to contravention cannot in such a case be reached without first considering whether reasonable steps have been taken. As the facts of this case show, that may not always be a straightforward enquiry. Perhaps often it will and it may not therefore usually be difficult to establish a contravention. Once it is concluded that reasonable steps were not taken in this regard, a consumer may seek compensation under s.13. It will then be a defence for the data controller to show that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned. It may be that that enquiry is in substance no different from that required under paragraph 7 of Part II in the limited class of case to which that paragraph refers. However it should be noted that in cases not covered by paragraph 7 a contravention may be established without consideration of the reasonableness of the steps taken by the data controller. In such a case reasonableness would arise only if a defence were mounted under s.13(3).”

Tomlinson LJ then summarised the law and relevant legal guidance on credit reference agencies and bankruptcy proceedings. At para. 59, he concluded that:

“The judge’s approach begins with the observation, at paragraph 95 of the judgment, that erroneous or out of date data which remains on a consumer’s credit file can be particularly damaging. Of course this is true, and nothing I say in this judgment is intended to undermine the importance of the fourth data protection principle. But before deciding what is the ambit of the duty cast upon CRAs to ensure the accuracy of their data, it is necessary to put this important principle into context and to maintain a sense of proportion. In the context of lending, arrangements have been put in place to ensure that an applicant for credit should not suffer permanent damage as a result of inaccurate information appearing on his file. As recorded above these safeguards are set out in the Guide to Credit Scoring and are further explained in at least two other published documents…. The judge made no reference to these arrangements which are in my view relevant to the question how onerous a duty should be imposed upon a CRA to ensure that its data is accurate. I agree with Mr Handyside that in most cases of applications for credit failed on account of incorrect data the harm likely to be suffered is temporary inconvenience. It is possible that the judge overlooked this as a result of his flawed conclusion that it was inaccurate data, or more precisely the alleged breach of duty which gave rise thereto, which prevented Mr Smeaton / Ability Records from obtaining credit in and after July 2006.”

He continued at para 62:

“The judge ought in my view to have taken into account that these various publications demonstrate that both the methods by which CRAs collected and updated their data and the shortcomings in those methods were well-known to and understood by the Information Commissioner and the Insolvency Service.”

Tomlinson LJ also concluded (at paras. 67-68) that part of the judge’s conclusions on DPA breach “amounts to a conclusion that Equifax was in breach of the duty required of it under the DPA because it failed to attempt to persuade the Secretary of State and the Insolvency Service to initiate modifications to the legislative and regulatory framework and in particular failed to secure the reversal of the legislative choice made in 1986 no longer to require the automatic advertisement of annulments and rescissions. I do not consider that this is a realistic conclusion. Self-evidently it is not realistic to conclude that an exercise of this sort was either necessary or feasible in relation to a tiny number of cases where the consequences of inaccuracy could not normally be expected to be anything other than temporary inconvenience. A duty the content of which is to lobby for a change in the law must be very uncertain in its ambit and extent and in my view is implausible.”

Finally, not only had the judge erred in his approach to causation and the fourth data protection principle, he was also wrong to find that there was a parallel duty in common law: the House of Lords said in Customs and Excise Commissioners v Barclays Bank [2007] 181 that statutory duties cannot generate parallel common law ones, and on the raditional three-fold test of foreseeability, proximity and whether it is fair, just and reasonable to impose a duty, the answer here would also be ‘no’.

The judgment will be welcomed not only by credit reference agencies, but by all those data controllers whose particular circumstances mean that data inaccuracy is, best efforts notwithstanding, an occupational hazard.

For another blog post on this judgment, see Information Rights and Wrongs, where Jon Baines was quick off the mark.

Robin Hopkins

Tags: , , , , ,
Posted in INFORMATION LAW | Comments Off on Court of Appeal gives judgment on credit reference agencies and accuracy of personal data

Application of the DPA to surveillance activities

February 20th, 2013 by Panopticon Blog

By Julian Milford

The First-Tier Tribunal (“FTT”) has just issued the first ever tribunal decision concerning the application of the Data Protection Act 1998 (“DPA”) to surveillance activities: Southampton City Council v The Information Commissioner EA/2012/0171, 19 February 2013. In this case, the Council’s licensing committee had resolved in 2009 that all taxis it licensed should be fitted with digital cameras, which made a continuous audio-visual recording of passengers.  The Information Commissioner (“ICO”) issued an enforcement notice against the Council under the DPA, requiring the Council to stop audio recording, because it was in breach of the Data Protection Principles in the Act (the first Data Protection Principle in particular).

The Council appealed to the FTT. It accepted that words recorded by the equipment were “personal data” for the purposes of the DPA, and the very act of recording was a form of “processing” by the Council under the Act. What the Council disputed was (1) the conclusion that the policy involved the processing of “sensitive personal data” as well as personal data; and (2) the ICO’s finding that the recording and retention of audio data was a disproportionate interference with passengers’ privacy rights under Article 8 of the European Convention.

On both points, the FTT found in favour of the ICO. The FTT said that it was “unrealistic” to contend that the policy did not involve the processing of “sensitive personal data”: taxi users would undoubtedly from time to time discuss their own and others’ sex lives, health, politics and so on. The FTT also agreed with the ICO that although the processing served the legitimate aims of promoting public safety, preventing crime, and protecting persons, it was not proportionate. The FTT observed that there were two important points to note. First, the legitimate aim could only be directed at “taxi-related” crime: the fact that police had been able to obtain useful evidence about other crimes could not therefore come into the balance as a benefit. Secondly, the relevant benefits and disbenefits were only the marginal ones coming from audio recording, because no complaint was made about CCTV in taxis. Against that background, the policy’s significant interference with privacy rights outweighed any resulting benefits. The FTT was particularly impressed by arguments about “function creep” i.e. the use of the system for other purposes by (say) the police; and by the danger that someone would access and make improper use of the very extensive recorded information. Finally, the FTT said that the ICO was entitled to serve an enforcement notice, given the high public importance of the case.

Plainly, this is a significant decision, whose principles can be read across to a range of surveillance activities carried out by public bodies.

Timothy Pitt-Payne QC and Anya Proops of 11KBW appeared for Southampton City Council and the ICO respectively.

Posted in Uncategorized | Comments Off on Application of the DPA to surveillance activities

Electoral registration

February 11th, 2013 by James Goudie QC

The first Commencement Order has been made under the Electoral Registration and Administration Act 2013.  The Order brings into force provisions enabling Regulations to be made about the disclosure of information for the purposes of electoral registration.  The provisions are in Section 2 of and Schedule 2 to the Act (Sharing and Checking Information), amending Schedule 2 to the Representation of the People Act 1983.  The Regulations are to enable a system to be established for the verification of the eligibility of applicants and registered electors in Great Britain, and verification that applicants are the persons they claim to be.  The Regulations may authorise or require Registration Officers to require an applicant or a registered elector to provide evidence of eligibility and that an applicant is the person named in the application.

Tags:
Posted in INFORMATION LAW | Comments Off on Electoral registration

Vexatious and manifestly unreasonable requests: definitive guidance from the Upper Tribunal

February 7th, 2013 by Robin Hopkins

Public authorities often have cause to consider whether to treat requests for information as vexatious (section 14 of FOIA) or manifestly unreasonable (regulation 12(4)(b) of the EIR). Precise definitions of those terms are difficult to pin down. They are not supplied by legislation. There is no binding authority from appellate courts or tribunals on their meaning in the information rights context. The Information Commissioner’s guidance is long-standing, but First-Tier Tribunals vary in the extent to which they use that guidance.

In three distinct but related decisions published today, the Upper Tribunal (Judge Wikeley) has filled this gap, providing what is (for now) the definitive, binding guidance on what vexatiousness and manifest unreasonableness mean in this context, and how reliance on those provisions should be approached. The cases are Dransfield, Craven and Ainslie, with Dransfield serving as the lead case (for summaries of the first-instance decisions, use Panopticon’s search function).

The key principles of general application are summarised below, followed by observations on the three specific appeals.

What kind of a creature is section 14 of FOIA?

Section 14 is not stricly speaking an ‘exemption’. The purpose of the exemptions in Part 2 of FOIA “is to protect the information because of its inherent nature or quality. The purpose of section 14, on the other hand, must be to protect the resources (in the broadest sense of that word) of the public authority from being squandered on disproportionate use of FOIA (to that extent I agree with the observations of the FTT in Lee v Information Commissioner and King’s College Cambridge EA/2012/0015, 0049 and 0085 at [50])… To that extent, section 14 of FOIA operates as a sort of legislative “get out of jail free card” for public authorities. Its effect is to relieve the public authority of dealing with the request in issue, except to the limited extent of issuing a refusal notice as required by section 17. In short, it allows the public authority to say in terms that “Enough is enough – the nature of this request is vexatious so that section 1 does not apply.”” (Dransfield, paras 10-11).

What does ‘vexatious’ mean in this context?

“’Vexatious’ is a protean word, i.e. one that takes its meaning and flavour from its context.” The dictionary definition is only a starting point: irritation or annoyance alone does not suffice – public scrutiny may be irritating or annoying to some, but it is the essence of FOIA.

“The question ultimately is this – is the request vexatious in the sense of being a manifestly unjustified, inappropriate or improper use of FOIA?” (Dransfield, para 43).

Guidance and illustrations

Judge Wikeley offered illustrative guidance under four headings (see the discussion at paras 28-39 of Dransfield). At para 28, he said this:

“Such misuse of the FOIA procedure may be evidenced in a number of different ways. It may be helpful to consider the question of whether a request is truly vexatious by considering four broad issues or themes – (1) the burden (on the public authority and its staff); (2) the motive (of the requester); (3) the value or serious purpose (of the request) and (4) any harassment or distress (of and to staff). However, these four considerations and the discussion that follows are not intended to be exhaustive, nor are they meant to create an alternative formulaic check-list. It is important to remember that Parliament has expressly declined to define the term “vexatious”. Thus the observations that follow should not be taken as imposing any prescriptive and all encompassing definition upon an inherently flexible concept which can take many different forms.”

Background and context can be highly relevant. As to burden, questions of volume, breadth, pattern and duration of requests may be relevant. Note, however, that volume alone might not be decisive. Furthermore, an individual request can be vexatious.

While FOIA is axiomatically motive blind, “the proper application of section 14 cannot side-step the question of the underlying rationale or justification for the request” (Dransfield, para 34).

Series of requests can sometimes start out innocuously, but fall into “vexatiousness by drift” (Dransfield, para 37).

As to serious purpose or value, “the weight to be attached to that value or serious purpose may diminish over time. For example, if it is truly the case that the underlying grievance has been exhaustively considered and addressed, then subsequent requests (especially where there is “vexatiousness by drift”) may not have a continuing justification” (Dransfield, para 38).

Notes of caution

Judge Wikeley confirmed that the term ‘vexatious’ here applies to the request, not the requester (Dransfield, para 19).

He also warned that the right to deem a single request vexatious “should not be seen as giving licence to public authorities to use section 14 as a means of forestalling genuine attempts to hold them to account” and that “a lack of apparent objective value cannot alone provide a basis for refusal under section 14, unless there are other factors present which raise the question of vexatiousness. In any case, given that the legislative policy is one of openness, public authorities should be wary of jumping to conclusions about there being a lack of any value or serious purpose behind a request simply because it is not immediately self-evident” (Dransfield, paras 36 and 38 respectively).

Where does this leave the Commissioner’s guidance?

The guidance remains valuable, but the ‘five factors’ are at best ‘pointers to potentially relevant considerations’; they are a means to an end (the end being the ‘ultimate test’ – see above) (Dransfield, paras 39-45).

Is the test for ‘manifest unreasonableness under the EIR any different?

A short answer: no (Craven, para 30).

Regulation 12(4)(b) is different to section 14 in three ways. “First, section 14 excuses the public authority from responding, but is not formally a FOIA exemption, whereas regulation 12(4)(d) is structurally an exception under the EIR. Second, the EIR provision is expressly subject to a public interest test. Third, under the EIR there is a presumption in favour of disclosure (see regulation 12(2))” (Craven, para 19).

However, the approach to this provision is the same as the approach to section 14 of FOIA (see above), both for analytical reasons and pragmatic ones (if the approach is the same, the question of which regime applies need not be analysed).

Unlike FOIA, the EIR do not have a separate exception for cost of compliance. Regulation 12(4)(b) is the provision relied upon when the cost of compliance is disproportionate. What about FOIA? Can section 14 be used even where section 12 might also have been an option (as has been argued at First-Tier level: see the IPCC and TieKey cases, for example)? The Upper Tribunal’s answer is yes, it can. Judge Wikeley did, however, say this (Craven, para 31):

“Notwithstanding the above, if the public authority’s principal reason (and especially where it is the sole reason) for wishing to reject the request concerns the projected costs of compliance, then as a matter of good practice serious consideration should be given to applying section 12 rather than section 14 in the FOIA context. Unnecessary resort to section 14 can be guaranteed to raise the temperature in FOIA disputes. In principle, however, there is no reason why excessive compliance costs alone should not be a reason for invoking section 14, just as may be done under regulation 12(4)(b), and in either case whether it is a “one-off” request or one made as part of a course of dealings.”

The outcomes in the individual appeals

In Dransfield (which concerned a series of requests about lightning protection measures), the appeals by the Commissioner and the public authority succeeded. The request fell within section 14. Judge Wikeley concluded inter alia that:

“I have no hesitation in accepting Mr Cross’s primary submission. The FTT adopted too restrictive an approach to the application of section 14 in paragraphs [31]-[38] of the reasons for the decision. In particular, the FTT relied on an unwarranted distinction between two types of case in which there has been a past course of dealings. The FTT’s view was, in effect, that where the link between the request in issue and the previous course of dealing was one of subject matter alone, then the public authority could not treat the request as vexatious on the basis of that course of dealing, whatever other considerations might suggest. On the FTT’s approach, there had to be some “underlying grievance”, not simply a “similarity of subject matter” in order for section 14 to bite.”

In Craven (which concerned a series of requests about high voltage electric cables), the requester’s appeal was allowed on the questions of adequacy of reasons and the failure of the FTT to set out the reasons for the dissenting minority view, but the Upper Tribunal re-made the decision and concluded that section 14 and regulation 12(4)(b) had been correctly applied by the public authority.

In Ainslie, the requester’s appeal was allowed. He was found to have been acting firmly in the public interest, and “the FTT failed to find sufficient facts, and in particular to resolve certain important disputed issues on the evidence before it, and in doing so failed to provide adequate reasons for its decision” (Ainslie, para 26).

Other important points

These decisions also contain a number of points of general application beyond the vexatiousness context. All those involved in Tribunal litigation should note the following points.

The Upper Tribunal has held that, where a FTT decision is a majority one rather than unanimous, the FTT will err if it fails to set out the reasons for the minority view (Craven, para 42).

Further, while not a new point, the Upper Tribunal has confirmed the importance of FTTs giving adequate reasons (whether unanimous or majority decisions) to allow parties to know why they won or lost.

Judge Wikeley has cautioned that strike-out applications in information rights matters should not be resorted to lightly, but should only follow careful consideration (Craven, para 94).

Where section 14 or regulation 12(4)(b) are relied upon, “every effort should be made to ensure that the parties can participate in an oral hearing. This allows the relevant issues to be properly explored in a way that is simply not always possible on the papers” (Craven, para 95).

Tribunals should also be “more alive to the importance of making their processes accessible to ordinary citizens acting without the benefit of professional representation… was the request vexatious or manifestly unreasonable (or not)? The appellate process in such a case needs to focus on that question, rather than indulge in legalistic point-scoring. Tribunals are for users, after all, not just (if at all) for lawyers” (Craven, para 96).

Finally, Judge Wikeley observed that the preponderance of section 14 cases at Tribunal level was no reflection on the general usage of FOIA. At para 83 of Dransfield, he made this observation:

“As the American legal theorist Professor Karl Llewellyn wisely observed, litigated cases are inherently “pathological”; they bear the same relation to the broader set of disputes “as does homicidal mania or sleeping sickness, to our normal life” (The Bramble Bush (1960), p.58).”

For those who spend much of their life litigating, these last points are food for thought.

Tom Cross appeared for the Commissioner in all three appeals. Rachel Kamm and James Cornwell appeared for the public authorities in Dransfield and Craven respectively.

Robin Hopkins

Tags: , , ,
Posted in INFORMATION LAW | Comments Off on Vexatious and manifestly unreasonable requests: definitive guidance from the Upper Tribunal

Personal data: it’s all in the name

February 7th, 2013 by James Cornwell

A person’s name constitutes his or her personal data – so has held the Upper Tribunal recently in Information Commissioner v Financial Services Authority & Edem [2012] UKUT 464 (AAC).

Section 1(1) of the Data Protection Act 1998 (“the DPA”) defines “personal data” thus:

“‘personal data’ means data which relate to a living individual who can be identified—

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual; …”

Mr Edem made a request under the Freedom of Information Act 2000 (“FOIA”) to the Financial Services Authority (“the FSA”) seeking “a copy of all information that the FSA holds about me and/or my complaint that the FSA had failed to correctly regulate Egg plc”. The FSA declined to provide the information on various grounds. Mr Edem complained to the Information Commissioner. By the time that the Commissioner issued his Decision Notice the only remaining withheld information was the names of three FSA officials. The Commissioner upheld the FSA’s refusal to disclose this information on the basis that it was personal data of the individuals, they would have had no expectation of their names being released in public and any legitimate interest in disclosure was outweighed by the prejudice to their rights and freedoms (i.e. the information was exempt under FOIA, section 40(2) because disclosure would breach the First Data Protection Principle in Schedule 1 to the DPA).

On Mr Edem’s appeal the First-tier Tribunal (Information Rights) (“the FTT”) decided that the names of the officials did not constitute their personal data and ordered disclosure. In reaching that conclusion the FTT purported to apply the well-known analysis of the concept of personal data by Auld LJ in Durant v FSA [2003] EWCA Civ 1746, [2011] 1 Info LR 1 at [26-29]. In Durant at [28] Auld LJ identified two notions “that may be of assistance” in considering whether information relates to an person: biographical significance and focus. The FTT found that the disputed information was “not biographical in any significant sense” as it simply concerned transactions in which the individuals were involved. Further, the FTT held that the information did not have the individuals as its focus, but rather the handling of Mr Edem’s complaint.

In the Upper Tribunal Judge Jacobs rejected that analysis and allowed the Commissioner’s and FSA’s appeals against the FTT’s decision.

The Judge identified two relevant elements to the definition of personal data in section 1(1) of the DPA: relation and identification (see at [10]). Durant was a case about relation, not identification (see at [20], [29]). The Judge considered that Auld LJ’s two notions (biographical significance and focus) were not presented as being exhaustive or as defining the concept of personal data (see at [21]) and were limited to “borderline” cases (see at [23]).

Judge Jacobs considered that the ECJ’s decisions in Criminal Proceedings against Bodil Lindqvist (Case C-101/01) [2003] ECR I-6055 and European Commission v Bavarian Lager Co Ltd (Case C-28/08 P) were authority that the names of persons are personal data.

As the names of the officials were held by the FSA, the information was data for the purposes of section 1(1) of the DPA (see at [33]). Although the names were (in this case) not unique, taken together with contextual information such as grades and dates of employment they identified the officials (see at [36]).  As to the relation element of the definition of personal data, the Judge concluded that the FTT had either: (1) misdirected itself because Auld LJ’s two notions were not relevant in this case as the information requested included not just the names but other personal data including the individuals’ role within the FSA and their involvement in Mr Edem’s complaint (see at [38]); or (2) misapplied Auld LJ’s two notions. There were two ways in which such misapplication occurred. First, the FTT adopted an approach to biographical significance that was too narrow and was inconsistent with the ECJ’s decision in Bavarian Lager (see at [40]). Secondly, the holder of information has to know whether or not information is personal data at the time it is recorded and on the test adopted by the FTT information would not be biographical because its significance was not known at the time of recording (see at [41]).

Having concluded that the information was personal data Judge Jacobs set aside the FTT’s decision and re-made the decision, finding (in agreement with the Commissioner’s Decision Notice) that condition 6 of Schedule 2 to the DPA was not satisfied as no legitimate interest in disclosure had been identified.

The Upper Tribunal’s conclusion in relation to the misapplication of Auld LJ’s two notions is plainly correct – the FTT’s approach does seem to have been significantly narrower than that approved by the ECJ in Bavarian Lager. Judge Jacobs’ second point in relation to misapplication is interesting. If biographical significance is interpreted in such a way that it is dependent on subjective or context-dependent judgment, then the task of a data controller would, indeed, be rendered very difficult as information slipped into and out of being personal data.

It should be noted that both in this case and Bavarian Lager there was some additional context in which the names appeared that gave them biographical significance – the case should not be read as saying that a name on its own (devoid of context) is necessarily personal data.

The Judge’s reasoning on the FTT’s misdirection at [38] is potentially more controversial. Whilst Auld LJ clearly intended his “two notions” to be non-exhaustive, it is open to question whether the judgments in Durant can really be read as intending to limit them only to borderline cases. However, that is the stance that the Information Commissioner and the Government have traditionally taken in interpreting Durant and Judge Jacobs has accepted it.

Tags: ,
Posted in INFORMATION LAW | Comments Off on Personal data: it’s all in the name

Information “reasonably accessible” despite hefty charge

January 31st, 2013 by Charles Bourne

In Davis v ICO and Health and Social Care Information Centre (case no. EA/2012/0175, judgment 24 January 2013) the First-Tier Tribunal applied the absolute exemption under section 21 of FOIA 2000 for information which is reasonably accessible to an applicant other than under section 1. The requested information consisted of health statistics which the public authority was willing to provide to the appellant under its publication scheme for a charge of £1,550. The appellant argued that the charge meant the information could not be considered to be reasonably accessible to a person of ordinary means.

 Section 19 of FOIA requires public authorities to adopt publication schemes, subject to approval by the Information Commissioner, for the dissemination of information with or without charge. Section 20 provides for the ICO to approve model publication schemes which public authorities may adopt without further approval.

 The critical provision in this case was section 21(3) which provides that information is “not to be regarded as reasonably accessible to the applicant merely because it is available from the public authority on request, unless the information is made available in accordance with the authority’s publication scheme and any payment required is specified in, or determined in accordance with, the scheme”.

 The Tribunal interpreted this provision as meaning that if a scheme has the ICO’s approval and if the charge is specified in the scheme or ascertainable from it, the ICO and the Tribunal are required – rather than merely empowered – to regard the information as reasonably accessible.

 There was therefore no scope for the ICO or the Tribunal to judge the accessibility of the information by reference to the charge or any other factor. The ICO’s approval of the model scheme was conclusive. The Tribunal was persuaded that the ICO is indeed the appropriate authority to determine whether access is reasonable, and that it was hard to see why Parliament should enact a detailed system for approval of publication schemes and notification of charges “if compliance simply made the authority`s published information eligible for an assessment as to whether it was reasonably accessible”.

 It seems that the only remedy for an applicant who is deterred by charges is to draw the matter to the ICO’s attention. The ICO is empowered to revoke his approval on notice and, as the Tribunal noted, might take such a step if there was evidence of charges deterring information requests.

 Charles Bourne

Tags: , , , ,
Posted in INFORMATION LAW, Uncategorized | Comments Off on Information “reasonably accessible” despite hefty charge

Court of Appeal Declares Criminal Records Regime Incompatible with Article 8

January 29th, 2013 by Christopher Knight

The Court of Appeal has today handed down an important judgment in R (T & others) v Chief Constable of Greater Manchester & others [2013] EWCA Civ 25. The case concerned the blanket requirement in the Rehabilitation of Offenders Act 1974, section 113B of the Police Act 1997 and articles 3 and 4 of the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 that criminal convictions and cautions must be disclosed in an enhanced criminal record check (“ECRC”) in the context of particular types of employment (such as with children or vulnerable adults), even if those convictions or cautions would otherwise be deemed spent by the 1974 Act. (For a summary of the issues prior to the hearing, see Hannah Slarks’ post here.)

The Cases

The Court heard three conjoined cases. The lead case, T, was an appeal against a judgment of Kenneth Parker J: [2012] EWHC 147 (Admin) (upon which Robin Hopkins blogged here). T had received two cautions in relation to two stolen bicycles when he was 11 years old, which was disclosed as part of his participation in a sports studies degree course because he was required to work with children. T was not in fact prevented from completing his degree following the ECRC. JB was a lady who had been refused employment as a care home worker following the revelation in her ECRC that she had a caution for theft of some false nails eight years previously. Permission to judicially review the legislative scheme had been refused by HHJ Gosnell. A third case was also joined, that of AW, who when 16 had received custodial sentences for manslaughter and robbery arising out of a car-jacking and who wished to join the Army. Permission had been refused in her case by HHJ Gosnell, and unlike JB, permission to appeal had also been refused on the papers by the Court of Appeal.

Interference with Article 8

Lord Dyson MR, Richards and Davis LJJ accepted the written concession of the Secretary of State that there was an interference with the Article 8 rights of the claimants. There are two possible forms of interference. First, it may occur where there is disclosure of personal information which individuals wish to keep to themselves. Cautions are generally given in private and will fade into the past. Secondly, disclosure may lead to an individual’s exclusion from employment. For T, the first of these was clearly engaged, but Court also considered the second to be in play, holding that it was sufficient that disclosure “was liable to affect his ability to obtain employment”, even though it did not in fact do so: at [31]-[32].

Justification

The Court had no difficulty in finding that the criminal records regime pursued a legitimate aim, generally of protecting employers and children or vulnerable adults in their care, and particularly of enabling employers to make an assessment as to whether an individual is suitable for a particular kind of work. However, the Court held that that the disclosure of all convictions and cautions relating to recordable offences was disproportionate to that aim: at [37].

The fact that a bright-line rule had been adopted did not save the regime, where there was no attempt to control disclosure by reference to the information’s relevance to the legitimate aim. Nor did the Court accept an argument based upon resource implications. It was not necessary to consider every case individually; bright-line sub-rules could be used. The Court was particularly struck by a Criminal Records Review carried out an Independent Advisor to the Government, which had recommended the introduction of a filter to remove minor and old convictions where appropriate, which the Government had not rejected. The Independent Advisory Panel for the Disclosure of Criminal Records, set up following the Review, has been considering the issue. In short, the Court considered that there was a range of possible filter mechanisms which could have been adopted and which were, at the least, less disproportionate than the blanket requirement imposed by s.113B of the 1997 Act.

The Court drew further support from the recent decision of the Strasbourg Court in MM v UK (App. No. 24029/07) (on which see Charles Bourne’s post here), although it accepted that the judgment did not go to proportionality in terms but was a finding that the interference was not in accordance with the law. However, the Strasbourg Court had identified the blanket nature of the Northern Irish system in issue as a shortcoming and had directly relied upon the Supreme Court’s decision in R (F) v Secretary of State for Justice [2010] UKSC 17, [2011] 1 AC 331 (blanket notification requirements imposed on sex offenders without possibility of review incompatible with Article 8, a judgment which the Prime Minister described as “appalling“): at [53].

Contrary to the position taken by Kenneth Parker J, the Court of Appeal refused to consider themselves bound to find the regime compatible with Article 8 following the Supreme Court’s judgment in R (L) v Commissioner of Police for the Metropolis [2009] UKSC 3, [2010] 1 AC 410 because it had been concerned with the discretionary disclosure of police information rather than the mandatory disclosure convictions and cautions, and any assumptions made by the Supreme Court as to the compatibility of the disclosure regime had not been part of the ratio of the decision: at [62].

The 1975 Order

Kenneth Parker J had also accepted an argument from the Secretary of State that the 1975 Order could not be impugned on Article 8 grounds because to do so would presuppose that the State had a positive obligation to intervene in private employment relationships to permit individuals to conceal information about their criminal records. The Court of Appeal declined to engage in distinguishing between positive and negative obligations where the State had already “altered the legal landscape” by enacting the 1974 Act and 1975 Order. The real question was one of fair balance, which had not been struck and it would be absurd if the ECRC regime in the 1997 Act was incompatible with Article 8 so that the State could not disclose the record but that the individual, under the 1975 Order, must do so or face civil liability: at [68].

Relief

In the case of both T and JB the Court of Appeal declared the regime implemented by the 1997 Act incompatible with Article 8 ECHR, and in the case of T, that articles 3 and 4 of the 1975 Order were ultra vires because they had been made incompatibly with Article 8. However, in the case of AW permission to appeal was refused because the disclosure of convictions for manslaughter and robbery because such offences could never be spent fell within the area of discretionary judgment open to Parliament.

The Court held that it was necessary for Parliament to decide what filtering mechanism would most effectively balance the Article 8 rights of the individual with the interests of employers and vulnerable individuals. There were a number of potential approaches, and the Court declined to proscribe or provide guidance: at [69], [75]. Although it rejected a request by the Secretaries of State to narrowly limit the declarations it in respect of the 1975 Order, the Court stayed the effect of their judgment pending any application by the Secretaries of State for permission to appeal to the Supreme Court. The Court refused permission itself, and the Government has indicated that it will seek to appeal.

The judgment raises difficult questions for Parliament as to how to proceed, as well – prior to the legislation being amended – as for employers and others who wish to rely upon spent convictions or cautions as a ground for excluding employment etc. in the circumstances spelled out in the 1975 Order (such as, notably, employment involving responsibility for children and vulnerable adults).

Jason Coppel appeared for the Secretaries of State for the Home Department and Justice; Timothy Pitt-Payne QC appeared for Liberty as an intervener.

Christopher Knight

Tags:
Posted in Uncategorized | Comments Off on Court of Appeal Declares Criminal Records Regime Incompatible with Article 8

Camden squatters case – back in the first-tier tribunal

January 23rd, 2013 by Anya Proops

Last year I blogged about a decision of the Upper Tribunal in the vacant properties case, Voyias v IC & Camden LBC, where the Upper Tribunal overturned the decision of the First Tier Tribunal (FTT) in favour of Mr Voyias and remitted the case to a differently constituted FTT (see my post here). The FTT’s decision on the remitted case has just been handed down – see the decision here. The issue which the FTT had to decide upon remission was whether was whether the Camden LBC (the Council) had correctly concluded that it was entitled to refuse to disclose to Mr Voyias information identifying vacant properties in its area on the ground that the requested information was exempt from disclosure under s. 31(1)((a) FOIA (the prevention and detection of crime exemption). The particular issues the FTT had to decide were: (a) whether the requested information engaged the exemption provided for under s. 31(1)(a) and (b) whether the public interest balance weighed in favour of the exemption being maintained. In a decision which was very robustly in favour of the Council, the FTT held that the requested information had been lawfully withheld. This decision is in stark contrast with the decision reached by the original FTT which upheld Mr Voyias’ appeal in respect of the Council’s refusal.

In deciding that the requested information was lawfully withheld, the FTT was plainly mindful of the guidance given by the Upper Tribunal that, when determining whether the public interest balance weighed in favour of maintaining the s. 31(1)(a) exemption, regard should be had, not merely to the direct adverse consequences of the disclosure but also to any indirect consequences which arose as ‘realistic possibilities’. Ultimately, the FTT concluded that ‘the small weight that the public interest in disclosure bears does not come close to equalling the public interest in preventing the categories of crime we have identified in this decision’ (§55). Thus, a very strong decision in favour of the Council. No doubt the former Housing Minister, Grant Schapps MP, who scathingly described the original FTT decision as a ‘squatters’ charter’, will be substantially relieved by the new decision.

11KBW’s Ben Hooper was for the Council and Chris Knight was for the Commissioner.

Anya Proops

Posted in Uncategorized | Comments Off on Camden squatters case – back in the first-tier tribunal

Central London NHS Trust: key points from the Tribunal’s first MPN case

January 17th, 2013 by Robin Hopkins

I reported earlier this week on the outcome of the first case of this type to reach the Tribunal. Here is my analysis of the key points.

Factual background

Central London Community Healthcare NHS Trust v IC (EA/2012/00111) concerned the first monetary penalty notice (MPN) to be appealed to the First-Tier Tribunal. The Trust’s appeal has been dismissed by the Tribunal (Professor Angel, Rosalind Tatam and Paul Taylor). The decision can be accessed here: Central London NHS Trust v IC EA20120111.

The background is that the Trust had, on some 45 occasions, faxed a list of palliative care in-patients to the wrong fax number (namely to that of a member of the public who notified the Trust and said he had destroyed the faxes – but he was never traced and destruction could not be confirmed). This was sensitive personal data: it included names as well as information about patients’ medical diagnoses, treatment and domestic situations.

The MPN

The IC found that the Trust had breached the seventh data protection principle, which requires that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The IC decided that the three preconditions for the exercise of his discretion to issue a MPN under section 55A of the Data Protection Act 1998 had been met here. These conditions are (i) there was a serious contravention of the DPA, (ii) this contravention was of a kind likely to cause substantial damage or substantial distress, and (iii) the contravention was either deliberate, or the data controller knew or ought to have known that there was a serious risk that a contravention would occur and would be of a kind likely to cause substantial damage or distress, but failed to take reasonable steps to prevent it happening.

The IC is empowered to impose MPNs of up to £500,000. In this case, the amount was £90,000.

The Tribunal’s jurisdiction

On the Trust’s appeal, one of the first issues for the Tribunal was the extent of its statutory powers under section 49 of the DPA (which mirrors section 58 of FOIA): the Tribunal agreed with the Trust that, as with appeals under FOIA, the Tribunal had jurisdiction to consider the matter de novo; it was not restricted to a review along public law lines. It also found that it could either allow the appeal, or substitute an alternative MPN (including one imposing a higher penalty than that imposed by the IC), or substitute an enforcement notice instead (paragraphs 36-39).

Alleged indication that no MPN would be issued

The only point of evidence in dispute was the Trust’s contention that the IC’s enforcement team had indicated during the investigation that no MPN would be issued. The Tribunal found that the Commissioner’s enforcement officer “did not give any serious indication or assurance that there would be no fine or MPN in this case which in any way excluded the IC from deciding to issue an MPN” (paragraph 46).

The IC’s decision-making process

The decision to impose a penalty is taken by a Deputy Commissioner, in consultation with an internal working party comprising various senior managers within the ICO and one of the ICO’s enforcement lawyers. Having decided that an MPN should be issued, the ICO determined the amount by reference to an internal, unpublished framework as follows:

(i) Serious = £40,000 to £100,000

(ii) Very serious = more than £100,000 but less than £250,000

(iii) Most serious = more than £250,000 up to the maximum of £500,000.

It decided that this case was in the “serious” category. Its methodology was then to take the midpoint of that band and consider any aggravating or mitigating circumstances.

As required by the DPA, the ICO then issued the Trust with a Notice of Intent to issue a MPN to the value of £90,000. The Trust accepted that a financial penalty was warranted, but disputed the amount, making submissions on mitigating factors. The ICO maintained its position and issued the MPN.

‘Assessments’ and the statutory bar under section 55(3A)

By section 55(3A) of the DPA, the IC may not use anything which came to his attention pursuant to his carrying out an ‘assessment’ under section 51(7) when deciding on whether an MPN can be imposed. The Trust argued that the IC’s investigation of its voluntarily-reported breach constituted an ‘assessment’.

The Tribunal considered the rival submissions on the legislative intent behind the bar imposed by section 55(3A) (though on this point it rejected the Trust’s invitation to take ministerial statements into account, on Pepper v Hart principles) and on the range of powers open to the IC. It preferred those of the IC: section 51(7) is directed at educating and advising data controllers, on the basis of a consensual engagement, with a view to avoiding future breaches of the DPA. The aim of the statutory bar provided for under section 55A(3A) is to prevent the IC from using information he obtains via the educational/advisory process provided for under section 51(7) to impose an MPN on a data controller. This case did not involve such an educational/advisory process. There was no assessment under section 51(7) (paragraphs 87-91).

The IC’s adherence to its own policy

The Trust did not contend that the IC failed to apply the statutory guidance on MPNs. It did, however, argue that it failed to consider or adhere to its own non-statutory policy on the reporting of breaches, which said that “the Commissioner will not normally take regulatory action unless a data controller declines to take any recommended action, he has other reasons to doubt future compliance or there is a need to provide reassurance to the public”.

Again, the Tribunal found for the IC: the statutory guidance was what really mattered, but in any event the IC had not departed from its own policies (paragraphs 102-103).

The IC’s exercising of its discretion

Where the conditions for the issuing of an MPN are met, the ICO still has a discretion as to whether or not to issue one. The Trust argued that the ICO had failed to exercise its discretion lawfully: there was no evidence of it taking into account relevant considerations.

The particular considerations relied upon by the Trust were (i) the ICO failed to take proper account of the overriding policy objective to encourage cooperative working between it and data controllers and failed to give sufficient credit for the Trust’s transparency and its co-operative stance, (ii) the effect of the ICO’s policy to impose high profile fines on data controllers who voluntarily report incidents and cooperate with its investigations is to discourage other controllers from being open and transparent, and (iii) the ICO’s approach to cases of this nature creates an unfair and unsustainable distinction between those data controllers who, when suspected of being in breach of the DPA, are required to submit to assessment notices or are requested to undergo consensual audits and those, like the Trust in this case, who voluntarily submit themselves to regulatory scrutiny. The Trust argued that the ICO had failed to think about these points.

The Tribunal rejected these criticisms as misconceived (paragraph 122). While the ICO’s process could have been more comprehensible, it could not be said to have overlooked relevant matters.

Consideration of mitigating factors

Next, the Trust contended that the ICO had failed properly to consider the mitigating factors on which it made submissions. Again, the Tribunal disagreed. The ICO had not erred in this way. In any event, the Tribunal did not seem to find the mitigating factors to be particularly forceful. It said:

“The fact that there was a voluntary notification cannot be given much weight when the Trust was under, in effect, an obligation to report (both to the ICO and to the NHS regionally). In any case it was reported over a month after the breach was discovered. Co-operation was the least that could be expected for such a serious breach. By the time the Trust informed the patients over three quarters were dead. There is still no absolute guarantee the sensitive information has been destroyed. The Trust’s mitigating features are therefore features to which we find the IC could not give much weight. In any case they are almost all post facto events and nothing about the wrongdoing” (paragraph 128).

The Trust’s criticisms of the IC’s decision on the amount of the MPN

The Trust said that the IC never explained its methodology for calculating the amount of the MPN – the three categories of seriousness, for example, were never mentioned, nor was the means of calculation. Once again, the Tribunal did not agree. It considered that the IC had made the principles behind its approach clear to the Trust prior to issuing the MPN.

Notable the Tribunal observed that “We find it interesting that the contravention is only categorised as “serious” and not “very serious” as it seems to us on the facts of this case the IC could have taken a more penal approach to the amount in question” (paragraph 138) and concluded that “We are satisfied that the ICO has reached a figure within a range of reasonable figures it could have considered” (paragraph 139). It also rejected the submission that the IC failed to take the mitigating factors into account when deciding on the amount of the MPN (paragraph 148).

Discount for early payment

The final issue considered by the Tribunal is of significant importance. MPNs provide for a discount (here: 20%) for early payment. If a data controller appeals an MPN and loses, can it still claim the discount? The Trust argued that, by refusing to keep the discount offer open pending the outcome of the appeal, the IC was penalising it for exercising its legal right to have its cased tested by a Tribunal. The Tribunal disagreed: “The purpose of the scheme would appear to us to encourage early payment and also to ensure there is an early resolution to the matter. There is no provision for a without prejudice payment” (paragraph 153). The IC did not err in refusing to keep the discount offer alive, and the Tribunal refused to restore that offer.

Data controllers who contravene the DPA in a serious or potentially serious way should take note of this last point, and indeed of the Tribunal’s first excursion into the new MPN appeal territory.

First-Tier Tribunal decisions are of course not binding on other First-Tier Tribunals. There will be more appeals against MPNs later this year. Panopticon will report on whether the principles from the Central London NHS Trust case are borne out by future decisions. For now, this decision is the best data controllers have to go on.

Tim Pitt-Payne QC appeared for the Trust. Anya Proops appeared for the IC.

Robin Hopkins

Tags: , , , , , ,
Posted in INFORMATION LAW | Comments Off on Central London NHS Trust: key points from the Tribunal’s first MPN case

Tribunal dismisses first appeal against Monetary Penalty Notice

January 15th, 2013 by Robin Hopkins

One of the most notable features of the information rights landscape in 2012 was the issuing by the Information Commissioner of a number of Monetary Penalty Notices for breaches of (primarily, but not exclusively) the Data Protection Act 1998.

The First-Tier Tribunal has today given its decision in the first appeal against such a notice. Central London Community Healthcare NHS Trust v IC (EA/2012/00111) saw the Trust appeal against a £90,000 MPN for the Trust’s repeated faxing of sensitive patient data to the wrong fax number (see Panopticon’s earlier reports here and here).

A summary of the key points from this landmark decision will follow as soon as possible. For now, Panopticon can confirm that the Trust’s appeal has been dismissed.

Robin Hopkins

Tags: , , , , ,
Posted in INFORMATION LAW | Comments Off on Tribunal dismisses first appeal against Monetary Penalty Notice

« Older Entries
Newer Entries »