Information Commissioner responds to Leveson

January 14th, 2013 by Holly Stout

The Information Commissioner’s Office (“ICO”) has published its response to the recommendations that Lord Justice Leveson made to the ICO and the Ministry of Justice (“MoJ”) in his Inquiry Report on the Culture, Practices and Ethics of the Press.  See here for the full response.

The ICO begins its response by reminding us of the leading role that the ICO played in revealing the press involvement in the unlawful trade in personal data in 2003 (Operation Motorman) which ultimately led to the Leveson Inquiry.

The ICO also emphasises that the Leveson Inquiry focused on events that took place between 2003 and 2007 and so Leveson’s Report does not take into account the significant strides that the ICO has made in recent years, in particular in its Regulatory Action Division and Enforcement Department and through its power to impose civil monetary penalties.

Nonetheless, the ICO is broadly welcoming of the vast majority of Leveson’s recommendations.  See Rachel Kamm’s post of 29 November 2012 for details of those recommendations.

In response to Leveson, the ICO will be:

  • Revising its Data Protection Regulatory Action Policy so that it specifically addresses how the ICO will use its regulatory powers to ensure that the press complies with the legal requirements of the data protection regime (by March 2013);
  • Developing a new Code of Practice on appropriate principles and standards to be observed by the press in the processing of personal data (hopefully within 6 months) – watch out for consultation on this;
  • Developing guidance to the public on their individual rights in relation to the obtaining and use by the press of their personal data, and how to exercise those rights (by May 2013) – watch out for a new dedicated media data rights advice on the ICO’s website;
  • Providing regular reports to Parliament (through its statutory Annual Report) on the effectiveness of the new measures and on the culture, practices and ethics of the press in relation to the processing of personal data;
  • Continuing to work with other prosecuting authorities in relation to alleged media crime (the ICO has already adopted the CPS Guidelines for Prosecutors);
  • Allocating specific responsibility for managing relations with the press and key stakeholders to the Government and Society team in its Strategic Liaison Dept and looking to establishing a media reference panel along similar lines to its existing Technology Reference Panel to ensure that a ready source of expertise is available to the ICO on key media issues;
  • Establishing an Intelligence Hub to make sure that the ICO identifies existing and emerging large-scale issues more quickly, as well as refining its process for handling high profile cases with significant policy or political implications;
  • Ensuring that its Management Board comprises people with suitable expertise from a range of backgrounds, including the media.

As to Leveson’s suggestions for amendments to the Data Protection Act 1998 (“DPA”) (see Rachel Kamm’s previous post), the ICO says that he can “see the merit in certain changes but not all of them” and emphasises that it is a matter for Parliament to determine whether the ICO should have a wider role in press regulation – the ICO is not actively seeking such a role.  Thus, while apparently

  • broadly in favour of ‘tightening up’ the current exemption from the provisions of the DPA for data processed for journalistic purposes,
  • strongly in favour of allowing individuals to claim damages for any breach of the DPA, even if it does not result in pecuniary loss, and
  • strongly in favour of bringing in ss 77 and 78 of the Criminal Justice and Immigration Act 2008 (increased sentences for criminal breaches of the DPA and enhanced defence for public interest journalism),

the ICO nevertheless sounds some notes of caution:

  • The ICO observes that Leveson’s proposed amendments to s 32 of the DPA would move the ICO much closer to being a general regulator of the press.  Section 32 currently provides an exemption from most of the requirements of the DPA for data processing undertaken ‘with a view to the publication’ of journalistic material, provided that the data controller reasonably believes would be in the public interest, ‘having regard … to the special importance of the public interest in freedom of expression’ and the data controller reasonably believes that compliance with the relevant part of the DPA would be ‘incompatible’ with the journalistic purpose.  Leveson proposes amending the exemption so that the processing must be ‘necessary’ for publication, so that no special weight is given to freedom of expression and so that the decision on whether the exemption applies is to be taken objectively rather than on the basis of the data controller’s reasonable belief.  The latter proposed change is most significant in terms of the role of the ICO.

 

  • The ICO points out that the new draft European Data Protection Regulation will require a number of changes to UK data protection law and therefore suggests that the Government may wish to consider how far it is sensible and practicable to introduce legislative changes ahead of the adoption of the new European Regulation.

 

  • The ICO says that Leveson’s recommendation that the press should never be exempt from the subject access rights in the DPA raises legitimate concerns about the ‘chilling effect’ that this might have on investigative journalism and says this area will need very careful consideration.

 

  • The ICO questions whether it is necessary to include specific provisions in the DPA requiring the IC to have special regard to the legal obligation to balance the public interest in freedom of expression alongside the public interest in upholding the data protection regime, pointing out that he is already subject to that duty by virtue of s 6 of the Human Rights Act 1998.

 

  • Similarly, the ICO suggests that there is no need to enshrine in statute a duty to consult with the CPS and other enforcement agencies, but that is already something done as a matter of course.  The ICO became a signatory to the Prosecutor’s Convention in July 2012 (an agreement between all the main government related prosecuting bodies to collaborate on cases that overlap jurisdictional areas).

 

  • The ICO points out that Leveson’s proposal to widen the ICO’s powers of prosecution to include any crimes that are likely to involve breaches of data protection principles, e.g. phone hacking, computer hacking, etc would substantially increase the ICO’s role as an investigatory and prosecuting authority which would bring with it significant resource implications.

 

  • While agreeing that the opportunity should be taken to consider the structure of the ICO and whether it would be better to have an Information Commission (i.e. a Board of Commissioners leading the organisation) rather than a single Information Commissioner, the ICO indicates that such a change would risk losing certain virtues of the current arrangements, which include the ability for the organisation to take decisions quickly where necessary and the higher degree of accountability that comes from having a single figurehead.

 Holly Stout

 

Posted in Uncategorized | Comments Off on Information Commissioner responds to Leveson

EIR Exemptions and Aggregation : a round trip

December 17th, 2012 by Charles Bourne

The First-Tier Tribunal (Information Rights) has ruled on the appeal by the Office of Communications (Ofcom) which was remitted following the Supreme Court’s judgment in Ofcom v IC [2010] UKSC 3, [2011] 1 Info LR 1288 (which itself followed the decision of the Court of Justice of the European Union in Ofcom v IC [2011] 2 Info LR 1). By its new decision of 12 December 2012 the Tribunal declined to depart from its previous decision which was made back on 4 September 2007.

This lengthy circular journey began with a request in January 2005 by a representative of Health Protection Scotland for a list of mobile phone base stations held on the “Sitefinder” website  and for information that was not publically accessible through Sitefinder such as grid references for each base station. The information was requested under the Environmental Information Regulations 2004 (EIR).

 Ofcom refused and relied on the exemption under regulation 12(5)(a), contending that the public interest favoured withholding the information since public safety would be adversely affected by the precise disclosure of the base sites. In particular, this would reveal the locations of the relevant database and thereby assist possible criminal activity. Ofcom also relied on regulation 12(5)(c), contending that the public interest favoured withholding the information because the intellectual property rights of the mobile network operators (MNOs) would thereby be adversely affected giving competitors an undue advantage.

 On 11 September 2006 the Information Commissioner (ICO) ordered disclosure, ruling that public safety would not be put at risk and also that regulation 12(5)(c) was not engaged. Ofcom appealed.

 In its 2007 decision the Tribunal upheld the ICO’s decision, taking the view that the purpose of Sitefinder was to permit important health research and that this comfortably outweighed any risk to the public from disclosing the information sought and any adverse effect to the public interest arising from prejudice to MNOs’ intellectual property rights. In particular it took the view that the exception would be made unworkable if it had regard to disadvantages the public might suffer if the MNOs, piqued by disclosure, decided permanently to withdraw their co-operation with Sitefinder.

 Ofcom appealed unsuccessfully to the Administrative Court on a number of issues but, on a further appeal to the Court of Appeal, succeeded on one i.e. whether the public interest in maintaining the two relevant exemptions could be aggregated – as opposed to the public interest balance being struck on each exemption separately.

 The ICO, undeterred, appealed this question to the Supreme Court. The Justices, unable to agree on the answer, referred it to the European Court which ruled that a public authority in these circumstances “may, when weighing the public interests served by disclosure against the interests served by refusal to disclose, in order to assess a request for that information to be made available to a natural or legal person, take into account cumulatively a number of the grounds for refusal set out in that provision.” The word “may” would prove to be rather important.

 The Supreme Court remitted the case so that the Tribunal could reconsider the public interest balance. And there this eventful journey ended with a second decision which largely echoed the first.

 The Tribunal (chaired by Tribunal Judge Marks QC) endorsed the ICO’s approach that aggregation is a right, not  a duty, so a decision maker will consider whether to aggregate but is not bound to do so. Aggregation may not always be appropriate, e.g. where the exemptions relied upon are so different that the exercise would not be feasible. The aggregation exercise is “impressionistic” rather than “mathematical”.

 What undid Ofcom was that the weight given to the exemptions was very limited. In respect of public safety, despite references to possibilities of crimes ranging from metal theft to terrorist attack, it was held that such risks already existed as a result of information already available so that disclosure of further information would not make much difference. As to intellectual property rights, the interests in question were held to be more private than public. And in each case, either they were already at risk or “the enhanced risk is so small as to be given no significance”. Once again the Tribunal ruled that it would not be appropriate to ascribe weight to any ongoing non-participation by MNOs.

 Aggregation did not alter these conclusions. The two exemptions were characterised as “apples and pears”, with no real link and thus no “sensible way of extracting or recognising, let alone applying, any common content as to public interest or interests”. But even when aggregated, the overall weight to be given to them was adjudged to be minimal. Where such minimal harm was difficult to identify and characterise in view of the large amount of information already in the public domain, an “impressionistic” approach would not lead to a different result.

 This case, believed to contain the first full consideration of aggregation, therefore does not give the impression that aggregation will be an especially powerful tool. The emphasis was on the ruling that a decision maker or tribunal may, but not must, aggregate.

 However, it remains to be seen whether future cases may bring further analysis of the “apples and pears” approach. Whilst different exemptions may protect quite different aspects of the public interest, it does not necessarily follow that the value of protecting the public in two different ways is not cumulatively greater than the value of protecting them in only one. If aggregation for some reason is “not feasible”, that is the end of the matter, but debate can be expected to continue on how often it will actually not be feasible to conduct a suitably “impressionistic” comparison of the totality of interests for and against disclosure.

Charles Bourne

Tags: , , , ,
Posted in Uncategorized | Comments Off on EIR Exemptions and Aggregation : a round trip

Supreme Court: Articles 3, 6 and 8 ECHR in child protection PII case

December 13th, 2012 by Robin Hopkins

There have been a number of important privacy judgments in recent weeks, particularly concerning Article 8 ECHR in cases with child protection elements. I have blogged on two Court of Appeal judgments. In the matter of X and Y (Children) [2012] EWCA Civ 1500 (19 November 2012) (Pill, Touslon and Monby LJJ; appeal against a decision of Peter Jackson J in the Family Division) concerned the tension between Articles 8 and 10. A second, more recent Court of Appeal judgment in Durham County Council v Dunn [2012] EWCA Civ 1654 (13 December 2012) (Maurice Kay, Munby and Tomlinson LJJ; appeal against a decision of HHJ Armitage QC) focused on balancing competing rights under Articles 8 (private and family life) and 6 (fair trial).

The Supreme Court has this week handed down an important judgment of the latter variety (Articles 8 and 6, as well as an Article 3 claim) in Re A (A Child) [2012] UKSC 60 (12 December 2012) (Lady Hale, with whom Lords Neuberger, Clarke, Wilson and Reed agreed;  appeal against a decision of McFarlane, Thorpe and Hallett LJJ).

Lady Hale began by summarising the case thus:

“We are asked in this case to reconcile the irreconcilable. On the one hand, there is the interest of a vulnerable young woman (X) who made an allegation in confidence to the authorities that while she was a child she had been seriously sexually abused by the father of a little girl (A) who is now aged 10. On the other hand we have the interests of that little girl, her mother (M) and her father (F), in having that allegation properly investigated and tested. These interests are not only private to the people involved. There are also public interests, on the one hand, in maintaining the confidentiality of this kind of communication, and, on the other, in the fair and open conduct of legal disputes. On both sides there is a public interest in protecting both children and vulnerable young adults from the risk of harm.”

In essence, X made the allegations of past sexual abuse by F to the local authority, but did not wish to take action against F. She asserted her rightsto privacy and confidentiality under Article 8  and argued that disclosure of her identity and the details of her allegations would amount to inhuman or degrading treatment contrary to Article 3.

The local authority asserted public interest immunity from disclosure. Lady Hale held that, analysed in terms of common law principles, disclosure should be ordrerd despite the important public interest in preserving the confidence of people who come forward with allegations of child abuse. At paragraph 30, she said this:

“Those allegations have to be properly investigated and tested so that A can either be protected from any risk of harm which her father may present to her or can resume her normal relationship with him. That simply cannot be done without disclosing to the parents and to the Children’s Guardian the identity of X and the detail and history of the allegations which she has made.”

The same conclusion was reached by analysing the matter in Convention terms. X’s case was primarily based on Article 3. Lady Hale agreed with the Court of Appeal that disclosure would not violate those rights: “The context here is not only that the state is acting in support of some important public interests; it is also that X is currently under the specialist care of a consultant physician and a consultant psychiatrist, who will no doubt do their utmost to mitigate any further suffering which disclosure may cause her” (paragraph 32).

Leaving aside Article 3, Lady Hale concluded that the rights of C, M and F under Articles 8 and 6 outweighed the Article 8 rights of X in the circumstances. A closed procedure seeking to minimise the impact on X’s privacy was not possible here. Furthermore, disclosure would not automatically expose X to the trauma of cross-examination: medical evidence and other means of giving evidence could, for example, be appropriate.

The case is an illuminating instance of extremely strong privacy rights being trumped by a combination of the family life rights of others, and in particular their right to a fair trial. In particular, it illustrates how, when serious allegations are made against individuals, the notion of privacy can cut both ways.

Robin Hopkins

Tags: , , , , ,
Posted in INFORMATION LAW | Comments Off on Supreme Court: Articles 3, 6 and 8 ECHR in child protection PII case

Universities and requests for lecturers’ private research: when will it be “held” by the University?

December 13th, 2012 by Julian Milford

The First-Tier Tribunal’s decision of 13 December 2012 in Montague v (1) Information Commissioner (2) Liverpool John Moores University EA/2012/0109 will be of interest to academic institutions, and any other public bodies whose employees have research interests not necessarily connected with their job. Anya Proops of 11KBW appeared for the University.

The Appellant Mr Montague asked Liverpool John Moores University for copies of emails sent by a senior lecturer at the University from his University email account, linked to his work with the Global Warming Policy Foundation (“GWPF”). The lecturer in question had worked at the University from November 1993 to July 2010 as a social anthropologist. In November 2009, he had become Director of the GWPF. The GWPF is a controversial organisation founded under the aegis of Lord Lawson, which promotes scepticism about man-made climate change.

The question at issue was whether the University “held” the information for the purposes of the Freedom of Information Act 2000 (“FOIA”), even if it was in fact contained in a university email account to which it had access.

Information is “held” by an authority for the purposes of FOIA if it is held by the authority “otherwise than on behalf of another person”, or is held by another person “on behalf of the authority”: see s.3(2) FOIA. That means mere physical possession of information is not enough to establish that information is “held”; it must also, to a sufficient extent, be meaningfully connected to the authority: see for example University of Newcastle v IC and BUAV [2011] UKUT 185 (AAC).

Both the University and the ICO considered that the University did not “hold” the information in this case, and the Tribunal agreed. The crucial point was that there was no connection between the lecturer’s private research for the GWPF, and the work he did within the University. The lecturer pursued the subject of global warming in his own free time, and exclusively in his own private interest. It had no bearing on his role as an academic employed in the University’s School of Sport and Exercise Science. The research was not funded by the University, and the University neither had any interest in the research nor sought to benefit from it. Since the emails were sent in a purely private and personal capacity, the University did not “hold” them.

This outcome is plainly in accordance with FOIA, and was perhaps inevitable on the facts. It should be of comfort to academic institutions whose lecturers pursue private interests. Of course, the situation would have been very different if the research had been connected in any way with the lecturer’s post. The decision can usefully be compared and contrasted with the ICO’s recent decision concerning emails sent by the Secretary of State for Education (Michael Gove) from his private email account. There, the information was in fact “held” by the Department for Education for the purposes of FOIA, even though the Department was not in physical possession of the information, because the ICO considered it concerned the business of the Department, rather than purely party political matters. The thread running through the two contrasting decisions is the same: what matters is not whether the authority actually has possession of the information, but whether the information has a substantial connection to its business.

Julian Milford

Posted in Uncategorized | Comments Off on Universities and requests for lecturers’ private research: when will it be “held” by the University?

CPR disclosure applications: ignore the DPA; balance Articles 6 and 8 instead

December 13th, 2012 by Robin Hopkins

It is increasingly common for requests for disclosure in pre-action or other litigation correspondence to include a subject access request under section 7 of the Data Protection Act 1998. Litigants dissatisfied with the response to such requests often make applications for disclosure. Where an application is made in the usual way (i.e. under the CPR, rather than as a claim under section 7 of the DPA), how should it be approached? As a subject access request, with the “legal proceedings” exemption (section 35) arising for consideration, or as an “ordinary” disclosure application under CPR Rule 31? If the latter, what role (if any) do data protection rights play in the analysis of what should be disclosed?

As the Court of Appeal in Durham County Council v Dunn [2012] EWCA Civ 1654 observed in a judgment handed down today, there is much confusion and inconsistency of approach to these questions. Difficulties are exacerbated when the context is particularly sensitive – local authority social work records being a prime example. Anyone grappling with disclosure questions about records of that type will need to pay close attention to the Dunn judgment.

Background to the disclosure application

Mr Dunn alleged that he had suffered assaults and systemic negligence while in local authority care. He named individual perpetrators. He also said he had witnessed similar acts of violence being suffered by at other boys. He brought proceedings against the local authority. His solicitors asked for disclosure of various documents; included in the list of requested disclosure was the information to which Mr Dunn was entitled under section 7 of the DPA. Some documents were withheld from inspection, apparently on data protection grounds.

Mr Dunn made a disclosure application in the usual way, i.e. he did not bring a section 7 DPA claim. The District Judge assessed the application in data protection terms. He ordered disclosure with the redaction of names and addresses of residents of the care facility – but not those of staff members and other agents, who would not suffer the same stigmas or privacy incursions from such disclosure.

Mr Dunn said he could not pursue his claim properly without witnesses and, where appropriate, their contact details. He appealed successfully against the disclosure order. The order for redaction was overturned. The judge’s approach was to consider this under the CPR (this being a civil damages claim) – but to take the DPA into account as a distinct consideration in reaching his disclosure decision.

The relevance of the DPA

The Court of appeal upheld the use of the CPR as the correct regime for the analysis. It also upheld the appeal judge’s ultimate conclusion. It said, however, that he went wrong in treating the DPA as a distinct consideration when considering a disclosure application under the CPR. With such applications, the DPA is a distraction (paragraphs 21 and 23 of the judgment of Maurice Kay LJ). It is potentially “misleading to refer to a duty to protect data as if it were a category of exemption from disclosure or inspection. The true position is that CPR31, read as a whole, enables and requires the court to excuse disclosure or inspection on public interest grounds” (paragraph 21).

This was not to dismiss the usefulness of a subject access request to those contemplating litigation. See paragraph 16:

“I do not doubt that a person in the position of the claimant is entitled – before, during or without regard to legal proceedings – to make an access request pursuant to section 7. I also understand that such a request prior to the commencement of proceedings may be attractive to prospective claimants and their solicitors. It is significantly less expensive than an application to the Court for disclosure before the commencement of proceedings pursuant to CPR31.16. Such an access may result in sufficient disclosure to satisfy the prospective claimant’s immediate needs. However, it has its limitations. For one thing, the duty of the data controller under section 7 is not expressed in terms of disclosure of documents but refers to communication of “information” in “an intelligible form”. Although this may be achieved by disclosure of copies of original documents, possibly redacted pursuant to section 7(5), its seems to me that it may also be achievable without going that far. Secondly, if the data subject is dissatisfied by the response of the data controller, his remedy is by way of proceedings pursuant to section 7 which would be time-consuming and expensive in any event. They would also engage the CPR at that stage: Johnson v Medical Defence Union [2005] 1 WLR 750; [2004] EWCH 2509 (Ch).”

Instead, the CPR disclosure analysis should balance Article 6 and Article 8 rights in the context of the particular litigation.

Maurice Kay LJ summed up the requisite approach as follows:

“What does that approach require? First, obligations in relation to disclosure and inspection arise only when the relevance test is satisfied. Relevance can include “train of inquiry” points which are not merely fishing expeditions. This is a matter of fact, degree and proportionality. Secondly, if the relevance test is satisfied, it is for the party or person in possession of the document or who would be adversely affected by its disclosure or inspection to assert exemption from disclosure or inspection. Thirdly, any ensuing dispute falls to be determined ultimately by a balancing exercise, having regard to the fair trial rights of the party seeking disclosure or inspection and the privacy or confidentiality rights of the other party and any person whose rights may require protection. It will generally involve a consideration of competing ECHR rights. Fourthly, the denial of disclosure or inspection is limited to circumstances where such denial is strictly necessary. Fifthly, in some cases the balance may need to be struck by a limited or restricted order which respects a protected interest by such things as redaction, confidentiality rings, anonymity in the proceedings or other such order. Again, the limitation or restriction must satisfy the test of strict necessity.”

How to approach disclosure of social work records in litigation

This issue was dealt with by Munby LJ. In short, the main question was whether those seeking to withhold or redact social work records in litigation should analyse the issue in terms of public interest immunity (as some textbooks, older authorities and even the White Book appeared to suggest) or in terms of a balancing between competing rights under the ECHR (in particular, Articles 6 and 8).

Munby LJ made clear that the right answer is the latter. Where information contained in social work records is to be withheld in legal proceedings, this should not now be on the basis of a claim to public interest immunity; we are “a world away from 1970 or even 1989” (paragraph 43). This was despite the fact that “the casual reader of the White Book” (paragraph 31.3.33 in particular) could be forgiven for thinking that PII applies to local authority social work records. Here Munby LJ said he “would respectfully suggest that the treatment of this important topic in the White Book is so succinct as to be inadvertently misleading” (paragraph 48).

Importantly, Munby LJ also went on to explain how (and with what stringency) Article 8 rights to privacy and the protection of personal information should be approached when disclosing information pursuant to litigation. At paragraph 50, he gave the following guidance:

“… particularly in the light of the Convention jurisprudence, disclosure is never a simply binary question: yes or no. There may be circumstances, and it might be thought that the present is just such a case, where a proper evaluation and weighing of the various interests will lead to the conclusion that (i) there should be disclosure but (ii) the disclosure needs to be subject to safeguards. For example, safeguards limiting the use that may be made of the documents and, in particular, safeguards designed to ensure that the release into the public domain of intensely personal information about third parties is strictly limited and permitted only if it has first been anonymised. Disclosure of third party personal data is permissible only if there are what the Strasbourg court in Z v Finland (1998) 25 EHRR 373, paragraph 103, referred to as “effective and adequate safeguards against abuse.” An example of an order imposing such safeguards can be found in A Health Authority v X (Discovery: Medical Conduct) [2001] 2 FLR 673, 699 (appeal dismissed A Health Authority v X [2001] EWCA Civ 2014, [2002] 1 FLR 1045).”

Robin Hopkins

Tags: , , , , , , ,
Posted in INFORMATION LAW | Comments Off on CPR disclosure applications: ignore the DPA; balance Articles 6 and 8 instead

Redacting for anonymisation: Article 8 v Article 10 in child protection context

December 13th, 2012 by Robin Hopkins

Panopticon has reported recently on the ICO’s new Code of Practice on Anonymisation: see Rachel Kamm’s post here. That Code offers guidance for ensuring data protection-compliant disclosure in difficult cases such as those involving apparently anonymous statistics, and situations where someone with inside knowledge (or a ‘motivated intruder’) could identify someone referred to anonymously in a disclosed document. The Upper Tribunal in Information Commissioner v Magherafelt District Council [2012] UKUT 263 AAC grappled with those issues earlier this year in the context of disclosing a summarised schedule of disciplinary action.

Redaction is often crucial in achieving anonymisation. Getting redaction right can be difficult: too much redaction undermines transparency, too much undermines privacy. The Court of Appeal’s recent judgment In the matter of X and Y (Children) [2012] EWCA Civ 1500 is a case in point. It involved the publication of a summary report from a serious case review by a Welsh local authority’s Safeguarding Children Board. The case involved very strong competing interests in terms of Article 8 and Article 10 ECHR. For obvious reasons (anonymity being the key concern here) little could be said of the underlying facts, but the key points are these.

A parent was convicted in the Crown Court of a serious offence relating to one of the children of the family (X). The trial received extensive coverage in the local media. The parent was named. The parent’s address was given. The fact that there were other siblings was reported, as also their number. All of this coverage was lawful.

The local authority’s Safeguarding Children Board conducted a Serious Case Review in accordance with the provisions of the Children Act 2004 and The Local Safeguarding Children Boards (Wales) Regulations 2006. Those Regulations require the Board to produce an “overview report” and also an anonymised summary of the overview report. The relevant Guidance provides that the Board should also “arrange for an anonymised executive summary to be prepared, to be made publicly available at the principal offices of the Board”.

Here two features of the draft Executive Summary were pivotal.

First, reference was made to the proceedings in the Crown Court in such a way as would enable many readers to recognise immediately which family was being referred to and would enable anyone else so inclined to obtain that information by only a few minutes searching of the internet.

Second, it referred, and in some detail, to the fact, which had not emerged during the proceedings in the Crown Court and which is not in the public domain, that another child in the family (Y), had also been the victim of parental abuse.

The local authority wanted to publish the Executive Summary, seeking to be transparent about its efforts to put right what went wrong and that it has learned lessons from X’s death. It recognised the impact on Y, but argued for a relaxtion of a restricted reporting order to allow it to publish the Executive Summary with some redactions. It was supported by media organisations who were legally represented.

The judge (Peter Jackson J) undertook a balance of interests under Articles 8 and 10. He allowed publication, with redactions which were (in the Court of Appeal’s words) “in substance confined to three matters: the number, the gender and the ages of the children.”

In assessing the adequacy of these redaction, the Court of Appeal considered this point from the judgment of Baroness Hale in ZH (Tanzania) v Secretary of State for the Home Department [2011] UKSC 4, [2011] 2 AC 166, at paragraph 33:

“In making the proportionality assessment under article 8, the best interests of the child must be a primary consideration. This means that they must be considered first. They can, of course, be outweighed by the cumulative effect of other considerations.”

Munby LJ thus concluded (paragraph 47 of this judgment) that “it will be a rare case where the identity of a living child is not anonymised”.

He recognised, on the other hand, that Article 10 factors always retained their importance: “there could be circumstances where the Article 8 claims are so dominant as to preclude publication altogether, though I suspect that such occasions will be very rare.”

On the approach to anonymisation through redaction, Munby LJ had this to say (paragraph 48):

“In some cases the requisite degree of anonymisation may be achieved simply by removing names and substituting initials. In other cases, merely removing a name or even many names will be quite inadequate. Where a person is well known or the circumstances are notorious, the removal of other identifying particulars will be necessary – how many depending of course on the particular circumstances of the case.”

In the present case, the redactions had been inadequate. They did not “address the difficulty presented by the two key features of the draft, namely, the reference to the proceedings in the Crown Court and the reference to the fact that Y had also been the victim of parental abuse” (paragraph 53).

Far more drastic redaction was required in these circumstances: to that extent, privacy trumped transparency, notwithstanding the legislation and the Guidance’s emphasis on disclosure. In cases such as this (involving serious incidents with respect to children), those taking disclosure decisions should err on the side of heavy redaction.

Robin Hopkins

 

Tags: , , , , ,
Posted in INFORMATION LAW | Comments Off on Redacting for anonymisation: Article 8 v Article 10 in child protection context

Internet traffic data and debt collection: privacy implications

December 5th, 2012 by Robin Hopkins

Mr Probst was a subsriber to the internet service provider (ISP) Verizon. He failed to pay his bill. A company called ‘nexnet’, the assignee of Verizon’s debt, sought to collect the sums due. In doing so, it obtained and used his internet traffic data in accordance with its ‘data protection and confidentiality agreement’ with Verizon. Disinclined to pay up, Mr Probst argued that nexnet had processed his personal data unlawfully and that the relevant terms of its agreement with Verizon purporting to sanction that processing were void. The first-instance German court agreed with him, but the appellate court did not.

It referred a question to the CJEU concerning Directive 2002/58 (the privacy and electronic communications Directive), which seeks to “particularise and complement” the Data Protection Directive 95/46/EC.

Article 5(1) of the 2002 Directive provides confidentiality in respect of electronic communications and traffic data. Article 6(1) says that traffic data must be “erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication”, unless one of the exceptions in that Article applies. The relevant provisions here were Articles 6(2) and (5). The first allows traffic data to be processed for subscriber billing purposes – but only within a specified time period. The second allows for processing of such data by an ISP’s authorised agent only for specified activities and only insofar as is necessary for those activities. The provisions are worded as follows:

(2) Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued.

(5) Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities.

In Probst v mr.nexnet GmbH (Case C‑119/12), the Third Chamber of the CJEU essentially had to decide whether, and in what circumstances, Articles 6(2) and (5) allow an ISP to pass traffic data to the assignee of its claims for payment such that the latter may process those data. Its starting point was that Articles 6(2) and (5) were exceptions to the general principle of confidentiality with respect to one’s internet traffic data. They therefore needed to be construed strictly.

As regards Article 6(2), Mr Probst had argued that nexnet was not in the business of ‘billing’, but in the business of debt collection. The referring court’s view was that, for data protection purposes, those activities were sufficiently closely connected to be treated indentically. The Third Chamber agreed. It found that, by authorising traffic data processing ‘up to the end of the period during which the bill may lawfully be challenged or payment pursued’, Article 6(2) relates not only to data processing at the time of billing but also to the processing necessary for securing payment thereof.

As to Article 6(5), the Court held “that a persons acts under the authority of another where the former acts on instructions and under the control of the latter”.

The next question was essentially: what does a data protection-compliant contract between an ISP and a third party (an agent, assignee or someone to whom an activity is outsourced) look like? Must the ISP actually be able to determine the use of the data by the third party, including on a case-by-case basis, throughout the duration of the data processing? Or is it sufficient that its contract with the third party contains general rules about the privacy of telecommunications and data protection and provides for data to be erased or returned on request?

The Court emphasised that outsourcing or assignment may not result in lower levels of protection for individuals’ personal data (paragraph 26). The contract must be sufficiently specific. It must, for example, provide for the immediate and irreversible erasure or return of data as soon as knowledge thereof is no longer necessary for the recovery of the claims concerned. The controller (here, the ISP) must be in a position to check and ensure compliance with the privacy and data protection measures agreed under the contract, and the contract must provide for the ISP to be able to request the return or erasure of the data.

The issue in the Probst case (how to balance privacy and legal rights to monies owed) has obvious parallels with measures to combat copyright infringement (how to balance privacy and legal rights to intellectual property). I have blogged on copyright and privacy issues here and here.

The Probst judgment is an important confirmation of general principles about privacy with respect to one’s internet data. The implications for all sorts of contracts involving such data are clear – cloud computing arrangements, for example (on which, see Panopticon’s post here).

It is increasingly important that those contracts provide for specific and enforceable safeguards against unlawful processing of personal data. The Data Protection Directive will change before too long, but these principles will not.

Robin Hopkins

Tags: , , ,
Posted in INFORMATION LAW | Comments Off on Internet traffic data and debt collection: privacy implications

Leveson Inquiry Report: spotlight on proposed data protection reforms

November 29th, 2012 by Rachel Kamm

Lord Justice Leveson has today published his eagerly awaited report into the culture, practices and ethics of the press.  The key proposal which will shape the future of press regulation is the recommendation to create an independent self-regulatory body, governed by an independent board. Of particular interest to information lawyers is the discussion of the extent to which the current legal, policy and regulatory framework has failed in relation to data protection. In this respect, the Report considers the lessons that can be learned from the practices of the press in relation to data handling and processing, makes bold recommendations in relation to legislative reform and further considers a bolstering of the Information Commissioner’s role and function.  The principal parts of the report dealing with the Data Protection Act 1998 (“DPA”) and ICO are Volume III, Part H and Volume IV, Appendix 4, Part 4.

Data protection: a key element of privacy rights

A key part of the Leveson Inquiry has been to consider the extent to which the press has unjustifiably interfered with the privacy of individuals in a manner which cannot be justified in the public interest. In this context, invasion of privacy does not mean simply through the publication of articles which intrude into the details of individuals’ private lives, but rights of individuals to keep personal information private, and rights restricting how personal information is processed by journalists. The Inquiry’s Terms of Reference expressly required Lord Justice Leveson to consider the extent to which the current policy and regulatory framework has failed in relation to data protection. The Inquiry provided a fresh and independent perspective for considering the DPA and the role of the ICO.

Historic difficulties in investigating and regulating data protection breaches by the press

Operation Motorman was an investigation by the ICO into the conduct of a private investigator, Steve Whittamore, which revealed that a significant amount of personal data was being sought by journalists working for most of the major newspaper groups. The data was being obtained by Mr Whittamore in breach of s.55 DPA (for example, through payments to public officials for details from a DVLA database, or through the blagging of friends and family telephone numbers from BT) and subsequently supplied to journalists. Mr Whittamore was prosecuted, but no journalist was interviewed by the ICO or subjected to enforcement action or prosecution. The Report highlights that the investigation produced a ‘treasure trove’ of evidence of serious and systemic illegality and poor practice in the acquisition and use of personal information which could have spread across the press as a whole. It also questions why the ICO failed to interview journalists or prosecute journalists for breach of the DPA, and notes that two reports laid before Parliament by the ICO had set out the evidence of a flourishing and unlawful trade in confidential personal information.

The Report highlights that one of the difficulties encountered by the ICO in pursuing breaches of data protection legislation against the press arose from deficiencies in the legal framework, which “puts unnecessary and inappropriate barriers in the way of regulatory law enforcement and the protection of victims’ rights”. Perhaps for this reason, amendments to the legal framework form a key part of the recommendations on data protection reform.

Recommendations to amend data protection legislation

Section 32 of the DPA restricts the circumstances in which the ICO can exercise most of its powers in relation to the press. Section 32 operates by disapplying a number of investigative and enforcement powers in circumstances where the data processing falls within section 32, namely where (i) the processing is undertaken with a view to the publication by any person of any journalistic material; (ii) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest; and (iii) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.

The Report recommends that section 32 should be amended so as to make it available only where: (a) the processing of data is necessary for publication, rather than simply being in fact undertaken with a view to publication; (b) the data controller reasonably believes that the relevant publication would be or is in the public interest, with no special weighting of the balance between the public interest in freedom of expression and in privacy; and (c) objectively, that the likely interference with privacy resulting from the processing of the data is outweighed by the public interest in publication. These amendments would render it more difficult for those organisations processing data for the purposes of publication to bring themselves within the scope of s.32. The proposed amendments seek to re-set the balance between the public interest in freedom of expression and the public interest in personal information privacy.

Further, the report recommends that the extent to which s.32 disapplies provisions of the DPA should be reduced and  that the processing of data by the press should be subject to the following obligations (which previously attracted exemption):

  •  the requirement of the first data protection principle to process personal data fairly (except in relation to the provision of information to the data subject under paragraph 2(1)(a) of Part II Schedule 1 to the DPA) and in accordance with statute law;
  •  the second data protection principle (personal data to be obtained only for specific purposes and not processed incompatibly with those purposes);
  • the fourth data protection principle (personal data to be accurate and kept up to date);
  •  the sixth data protection principle (personal data to be processed in accordance with the rights of individuals under the Act);
  •  the eighth data protection principle (restrictions on exporting personal data); and
  • the right of subject access (subject to further investigation and clarification of protection of journalists’ sources).

Recommendations for procedural amendments

The Report recommends:

  • The repeal of certain procedural provisions of the DPA with special application to journalism (namely section 32(4) and (5) and sections 44 to 46). The purpose of this is to give the ICO, and the Courts, greater powers to consider breaches of data protection without procedural hurdles in place, for example repealing section 32(4) would allow Courts to consdier preventing the Courts considering the complaint whilst the ICO determines whether the data controller has been processing the date for the purposes of journalism;
  • In conjunction with the repeal of those procedural provisions, consideration should be given to the desirability of including in the DPA a provision to the effect that, in considering the exercise of any powers in relation to the media or other publishers, the ICO should have special regard to the obligation in law to balance the public interest in freedom of expression alongside the public interest in upholding the data protection regime;
  • Specific provision should be made to the effect that, in considering the exercise of any of its powers in relation to the media or other publishers, the ICO must have regard to the application to a data controller of any relevant system of regulation or standards enforcement which is contained in or recognised by statute; and
  • To further strengthen individuals’ rights, the right to compensation for distress conferred by section 13 of the DPA is not restricted to cases of pecuniary loss, but should include compensation for pure distress.

ICO’s powers of prosecution

In his evidence to the Inquiry, the former Information Commissioner Richard Thomas described the ICO as “primarily not a prosecuting authority. That was almost on the side”. The main formal power in the event of non-compliance was the ‘enforcement notice’, which could specify and require compliance action subject to the back-up sanctions of court enforcement, although this was not frequently used. Prosecution powers were limited to section 55 of the DPA and did not extend, for example, to other offences such as phone hacking (although this might also technically involve a section 55 DPA breach).

The Report recommends that:

  • The necessary steps should be taken to bring into force the amendments made to section 55 of the DPA by section 77 of the Criminal Justice and Immigration Act 2008 (increase of sentence maxima) to the extent of the maximum specified period; and by section 78 of the 2008 Act (enhanced defence for public interest journalism);
  • The prosecution powers of the Information Commissioner should be extended to include any offence which also constitutes a breach of the data protection principles.
  • A new duty should be introduced (whether formal or informal) for the ICO to consult with the Crown Prosecution Service in relation to the exercise of its powers to undertake criminal proceedings;
  • The ICO should immediately adopt the Guidelines for Prosecutors on assessing the public interest in cases affecting the media, issued by the Director of Public Prosecutions in September 2012; and
  • The ICO should take immediate steps to engage with the Metropolitan Police on the preparation of a long-term strategy in relation to alleged media crime with a view to ensuring that it is well placed to fulfil any necessary role in this respect in the future, and in particular in the aftermath of Operations Weeting, Tuleta and Elveden.

Recommendation to issue guidance

The Report includes a number of recommendations directed at the ICO in relation to its provision of guidance and advice. In particular, it recommends that the ICO should issue good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data. Further, it should issue guidance to the public on their individual rights in relation to the press and their personal data and also advice for data subjects who are concerned that their data may have been processed by the press unlawfully or otherwise than in accordance with good practice. In full:

  • The ICO should take immediate steps to prepare, adopt and publish a policy on the exercise of its formal regulatory functions in order to ensure that the press complies with the legal requirements of the data protection regime.
  • In discharge of its functions and duties to promote good practice in areas of public concern, the ICO should take immediate steps, in consultation with the industry, to prepare and issue comprehensive good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data. This should be prepared and implemented within six months from the date of this Report.
  • The ICO should take steps to prepare and issue guidance to the public on their individual rights in relation to the obtaining and use by the press of their personal data, and how to exercise those rights.
  • In particular, the ICO should take immediate steps to publish advice aimed at individuals (data subjects) concerned that their data have or may have been processed by the press unlawfully or otherwise than in accordance with good practice.
  • The ICO, in the Annual Report to Parliament which it is required to make by virtue of section 52(1) of the DPA, should include regular updates on the effectiveness of the foregoing measures, and on the culture, practices and ethics of the press in relation to the processing of personal data.

Strengthening the ICO

The Report recommends that the opportunity should be taken to consider amending the DPA formally to reconstitute the ICO as an Information Commission, led by a Board of Commissioners with suitable expertise drawn from the worlds of regulation, public administration, law and business, and active consideration should be given in that context to the desirability of including on the Board a Commissioner from the media sector.

The Report recommended to the ICO that:

  • It should take the opportunity to review the availability to it of specialist legal and practical knowledge of the application of the data protection regime to the press, and to any extent necessary address it; and
  • It should take the opportunity to review its organisation and decision-making processes to ensure that large-scale issues, with both strategic and operational dimensions (including the relationship between the culture, practices and ethics of the press in relation to personal information on the one hand, and the application of the data protection regime to the press on the other) can be satisfactorily considered and addressed in the round.

Conclusion

The recommendations in the Report seek to significantly strengthen the ICO’s powers to investigate and enforce against poor press practices and, if enacted, would represent a marked change in the relationship between the ICO and the press.

Rachel Kamm

(11KBW’s Heather Emmerson was instructed by the Treasury Solicitor as part of the team of Counsel to the Leveson Inquiry.)

Posted in Uncategorized | Comments Off on Leveson Inquiry Report: spotlight on proposed data protection reforms

Court of Appeal considers whether the Enhanced Criminal Records Certificate regime infringes Article 8

November 28th, 2012 by Hannah Slarks

This week, the Court of Appeal heard the cases of R (T) v Chief Constable of the Greater Manchester Police and others and R (JB) v the Secretary of State for the Home Department.  These are the latest in a series of cases challenging whether the criminal records checks regime is compatible with the Convention.  Unlike previous cases, which have concerned the disclosure of “soft information” held on local police computer systems, these cases raise in stark terms the compatibility of s.113B(3)(a) of the Police Act 1997 with Article 8.  This requires the disclosure of all convictions, cautions, warnings and reprimands on an Enhanced Criminal Records Certificate (“ECRC”).  In T’s case, his ECRC disclosed a warning he had been given for stealing a bicycle when he was 11.  In JB’s case, her ECRC disclosed a caution for shoplifting given eight years before the check.

Was there an interference?

The first issue to be considered by the Court is whether there is any interference with Article 8.  Following R (L) v Commissioner of Police for the Metropolis [2010] 1 AC 410 M.M. v United Kingdom (Application no. 24029/07), it is clear that a person’s Article 8 rights will be engaged by disclosure of their past convictions in two situations:  if the disclosure has a direct effect on their employment opportunities; or if their convictions are sufficiently long ago that they have become part of their private life.

Neither T nor JB lost employment opportunities as a direct result of the ECRC.  T risked losing a place on his degree course, but was eventually permitted to finish.  JB was told that one agency would not put her forward for work as a carer.  However, she may be able to work with other agencies.

The question is whether the disclosure of this information on an ECRC will necessarily interfere with the right to respect for private life, even if it does not affect the subject’s employment opportunities.  In favour of this proposition, it was argued that because a caution or warning is given in private, as it recedes into the past, it becomes part of the subject’s private life.  Similarly, as a conviction recedes into the past, it could also become part of the subject’s private life.  Against it, it was argued that the conviction and warning were too recent to have become part of the Claimants’ private lives.

Was any interference justified?

The question of whether any interference was justified turns on both principled arguments and the effect of a number of key decisions in this area.

As to the principles, the Claimants, Liberty and the EHRC argued that it was disproportionate to require blanket and indiscriminate disclosure of all convictions, cautions, warnings and reprimands, no matter how old and how relevant to the purpose for which the ECRC was obtained.  Counsel for the Secretary of State argued that designing the criminal record checks regime involves striking a balance between important and conflicting interests. This is a matter for Parliament.  Parliament has resolved to leave it up to employers to decide whether an offence is minor or irrelevant.  This solution allows for an automated, rule-based process for undertaking the ECRC.  Therefore, he argued, this is a reasonable solution.

In addition to this analysis of the principles, arguments on justification focused on the effect of three key authorities:

  1. R (L) v Commissioner of Police for the Metropolis [2010] 1 AC 410.  The Court of Appeal was asked to consider whether the majority of the Supreme Court in L had decided that the Act was compatible with Article 8 insofar as it required disclosure of all convictions and cautions.  There was also debate as to whether L is incompatible with the later Supreme Court decision that the notification obligations on sex offenders were incompatible with Article 8 (R (F) v Justice Secretary [2011] 1 AC 331).
  2. Chief Constable of Humberside Police and others v Information Commissioner [2010] 1 WLR 1136:  A week before the decision in L, the Court of Appeal had held that the retention of information regarding criminal convictions was justified.  The question for the Court of Appeal now is whether this decision is distinguishable on the grounds that it concerned retention, rather than disclosure, of information.
  3. M.M. v United Kingdom (Application no. 24029/07):  Only two weeks ago, the Strasbourg Court held that the arrangements in Northern Ireland for the indefinite retention of data relating to a person’s criminal caution infringe Article 8 of the ECHR (read Charles Bourne’s blog post on this case here).  The disclosure of this data in criminal record checks was also found to infringe Article 8, as the statutory scheme did not provide sufficient safeguards to protect the data from disclosure in breach of Article 8.  Therefore, the interference with the Applicant’s Article 8 rights was ‘not in accordance with the law’.  Before the Court of Appeal, it was argued by the Government that MM: was wrongly decided; was distinguishable on its facts; does not embody any clear constant jurisprudence of the Strasbourg Court and cannot in any event be followed because of the effect of the Supreme Court’s decision in L.

Is the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (SI 1975/1023) ultra vires?

This additional issue was only raised in T.  Applicants for jobs covered by the Order have to answer truthfully any questions from prospective employers about their spent convictions and cautions.  Applicants for jobs falling outside the scope of the Order are permitted to answer untruthfully.  The question is whether the Order is ultra vires because it is incompatible with Article 8 to (in effect) require prospective employees for certain positions to disclose all of their convictions and cautions.  There was argument as to whether striking down the Order would improperly impose a positive obligation on the State to permit employees to give untruthful answers.  The Court is also asked to consider whether the compatibility of the Order is really a distinct issue from the compatibility of s.113B(3)(a) of the Police Act.

Judgment is awaited.

Jason Coppel represented the Home Secretary in both cases and the Justice Secretary in T.  Tim Pitt-Payne QC represented Liberty, intervening in T.

 

Hannah Slarks

Posted in Uncategorized | Comments Off on Court of Appeal considers whether the Enhanced Criminal Records Certificate regime infringes Article 8

Norwich Pharmacal Relief

November 28th, 2012 by James Goudie QC

If through no fault of his own a person gets  mixed up in the tortious acts of others so as to facilitate their wrong-doing he may incur no personal liability but he comes under a duty to assist the person who has been wronged by giving him full information and disclosing the identity of the wrongdoers.  Justice requires that he should co-operate in righting the wrong if he unwittingly facilitated its perpetration.  This is the principle recognized by the House of Lords in Norwich Pharmacal Co v Customs and Excise Commissioners [1974] AC 133.

This principle has been considered by the Supreme Court in Rugby Football Union v Consolidated Information Services Ltd (formerly Viagogo Ltd) [2012] UKSC 55.  This case arose in the following way. 

The Rugby Football Union (RFU) is of course the governing body for Rugby Union in England. It owns Twickenham Stadium.  It is responsible for issuing tickets for matches played at the Stadium. It is the RFU’s policy to allocate tickets so as to develop the sport and enhance its popularity. Most tickets are distributed via affiliated rugby clubs and other bodies. The distribution thereafter is subject to different rules depending on the nature of the body in question. Member clubs are permitted to sell some or all of their ticket allocation to official licensed operators for use in corporate hospitality packages. The RFU’s terms and conditions stipulate that any resale of a ticket or any advertisement of a ticket for sale at above face value will constitute a breach of contract rendering the ticket null and void. This condition is printed on the tickets and applicants are warned of it on ticket application forms. A further term stipulates that the tickets are property of the RFU at all times.

Viagogo (now in liquidation) operated a website which provided the opportunity for visitors to the site to buy tickets online for a number of sporting and other events. Sellers would register their tickets with Viagogo and a price would be suggested based on current market data. Viagogo received a percentage of the sale. The RFU monitors ticket re-sale websites in an attempt to discover whether and by whom tickets were being sold above face value. This effort was frustrated, however, in many instances by the anonymity offered by websites including Viagogo.

In the run up to the international rugby matches in autumn 2010 and the Six Nations Tournament, the RFU discovered that Viagogo had been used to advertise thousands of tickets for the matches at Twickenham. Tickets with a face value of £20 to £55 were being advertised for sale at up to £1300. After a request for information about the identity of those selling the tickets was refused, the RFU issued proceedings against Viagogo seeking information which it required in order to take action to protect its policy in relation to tickets.

The High Court granted the RFU a Norwich Pharmacal order requiring Viagogo to disclose the identities of those involved in the sales. The order was made on the grounds that the RFU had a good arguable case that those selling and purchasing the tickets had been guilty of breach of contract and that it was appropriate to grant the order for them to obtain redress.

Before the Court of Appeal, Viagogo introduced a new ground of appeal to the effect that granting the order represented a disproportionate interference with the rights of the potential wrongdoers under Article 8 of the Charter of Fundamental Rights of the European Union. Article 8 guarantees the protection of personal data. The Court of Appeal [2011] EWCA Civ 1585 upheld the decision of the High Court and decided that the RFU had no readily alternative means of pursuing the wrongdoers. On the new ground the Court of Appeal held that interference with the personal data rights of the individuals was proportionate in light of the RFU’s legitimate objective in obtaining redress for arguable wrongs.

The issue before the Supreme Court was whether the grant of the order involved a breach of Article 8 of the Charter.  The Supreme Court unanimously dismissed the appeal.  

The Supreme Court observed that cases since Norwich Pharmacal itself have emphasized the need for flexibility and discretion in considering whether the remedy should be granted.  It is not necessary that an applicant intends to bring legal proceedings in respect of the arguable wrong.  Any form of redress (for example disciplinary action or the dismissal of an employee) will suffice to ground an application for the order.  The need to order disclosure will be found to exist only if it is a necessary and proportionate response in all the circumstances.  The test of necessity does not require the remedy to be one of last resort.  The essential purpose of the remedy is to do justice.  This involves the exercise of discretion by a careful and fair weighing of all relevant factors.

Various factors have been identified in the authorities as relevant.  These include: (i) the strength of the possible cause of action contemplated by the applicant for the order;  (ii) the strong public interest in allowing an applicant to vindicate his legal rights;  (iii) whether the making of the order will deter similar wrongdoing in the future;  (iv) whether the information could be obtained from another source;  (v) whether the respondent to the application knew or ought to have known that he was facilitating arguable wrongdoing; (vi) whether the order might reveal the names of innocent persons as well as wrongdoers, and if so whether such innocent persons will suffer any harm as a result;  (vii) the degree of confidentiality of the information sought; (viii) the privacy rights under Article 8 of the ECHR of the individuals whose identity is to be disclosed; (ix) the rights and freedoms under the EU data protection regime of the individuals whose identity is to be disclosed; and (x) the public interest in maintaining the confidentiality of journalistic sources, as recognized in s10 of the Contempt of Court Act 1981 and Article 10 of the ECHR.

As Lord Kerr stated (para 18), many of these factors are self-evidently relevant to the question of whether the issue of a Norwich Pharmacal order is proportionate in the context of Article 8 of the Charter of Fundamental Rights of the European Union.  Article 8 of the Charter was applicable as the order of the High Court involved disclosure of private data and thus was in the material scope of European Law.

The Supreme Court held that the appropriate test of proportionality under Article 8 of the Charter involved weighing the benefit of the information being sought by the RFU against the impact that disclosure was likely to have on the individual concerned. The appellant was wrong to suggest, however, that the assessment had to be carried out solely by reference to the particular benefit that obtaining information in relation to an individual might bring.  It was artificial and unrealistic to suggest that the RFU’s aim of discouraging others in the future from flouting its rules should not be considered.  The facts of each case must be considered individually, but there was nothing in the European cases cited or otherwise which supported the notion that the wider context for which the RFU wished to have the information should be left out of account.

While there should be an intense focus on the rights claimed by the individuals concerned, this was not a case where disclosure would result in oppressive or unfair treatment. The only information sought was the names and addresses of individuals who had bought and sold tickets in clear breach of the RFU’s ticket policy. The particular circumstances affecting a person whose data were sought may in some limited cases displace the interests of the applicant for disclosure even where there was no feasible alternative way of getting the information. This was not such a case, however.

Posted in INFORMATION LAW | Comments Off on Norwich Pharmacal Relief

« Older Entries
Newer Entries »