I have observed (Panopticon passim) that the Data Protection Act 1998 features surprisingly sparingly in litigation. That appears to be somewhat less true of Scotland: for instance, Common Services Agency [2011] 1 Info LR 184, the leading case on anonymisation and barnardisation, came before the House of Lords from Scottish litigation. Here are two more recent examples, one from today, the other from last month.
South Lanarkshire
The Supreme Court has today given judgment in an appeal from the Inner House of the Scottish Court of Session about a FOI(S)A request for the number of individuals employed by South Lanarkshire Council on specific points in the pay structure, for the purposes of analysing compliance with Equal Pay legislation. The Council relied on the personal data exemption (contending that individuals could be identified from the requested information), but the Scottish Information Commissioner ordered disclosure. The Council’s appeal was dismissed by the Court of Session ([2012] CSIH 30) and, today, by the Supreme Court (South Lanarkshire Council v Scottish IC [2013] UKSC 55).
There were two issues for the Supreme Court. First, what does ‘necessary’ mean when it comes to condition 6(1) of schedule 2 to the DPA (the condition most often relied upon in support of disclosing personal data to the public), which provides that:
The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
Giving the Court’s judgment, Baroness Hale said that it was obvious that condition 6 requires three questions to be answered: (i) is the data controller or the third party or parties to whom the data are disclosed pursuing a legitimate interest or interests?, (ii) is the processing involved necessary for the purposes of those interests?, and (iii) is the processing unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject? In her view, “it is not obvious why any further exegesis of those questions is required” (paragraph 18).
Further exegesis was, however, required because of the Council’s submissions as to how strictly the term “necessary” should be construed. Baroness Hale’s answer was entirely unsurprising (see paragraphs 25-28). “Necessary” has to be considered in relation to the processing to which it relates. If the processing involves no interference with Article 8 ECHR rights, then it might be thought that all that has to be asked is whether the requester is pursuing a legitimate interest in seeking the information (which was not at issue in this case) and whether he needs that information in order to pursue it. If the processing does engage Article 8 ECHR rights, then “it is well established in community law that, at least in the context of justification rather than derogation, “necessary” means “reasonably” rather than absolutely or strictly necessary”. None of this will come as a surprise – as, for example, Jon Baines has observed in his Information Rights and Wrongs post. Indeed, as Baroness Hale observed, it is unclear that the stricter standard of necessity for which the Council argued would have been any more favourable to it.
The second issue before the Supreme Court was a natural justice challenge. The Scottish IC had asked the applicant a number of questions during his investigation, and had also received letters supporting the request from a number of MPs. This information had not been shared with the Council.
Baroness Hale observed that it was common ground that the Commissioner has a duty to act fairly (see for example Glasgow City Council v Scottish Information Commissioner [2009] CSIH 73, 2010 SC 125). The Commissioner is entitled to make his own enquiries and formulate cases on behalf of applicants, but “he must, of course, give them notice of any new material which his inquiries have elicited and which is adverse to their interests” (paragraph 31). Her Ladyship further observed (paragraphs 31-32) that:
“31. I would add that the Commissioner is fulfilling more than an administrative function. He is adjudicating upon competing claims. And in Scotland, unlike England and Wales, there is no appeal to a tribunal which can decide questions of both fact and law. The Commissioner is the sole finder of facts, with a right of appeal to the Inner House on a point of law only. These factors clearly enhance his duty to be fair. If wrong findings of fact are made as a result of an unfair process, the Inner House will not be able to correct them.
32. However, it does not follow that every communication passing between the Commissioner and the applicant, or between the Commissioner and third parties such as Members of the Scottish Parliament, has to be copied to the public authority…”
In this case, there was no breach of natural justice, and the Council’s appeal failed on both grounds.
Lyons
Another of the more notable recent data protection cases is also Scottish. Additionally, it touches upon another of my observations (see here, for example) about the potential synergies and overlaps between the DPA and defamation. The case is Lyons v Chief Constable of Strathclyde Police [2013] CSIH 46 A681/10, and will be reported in the upcoming edition of the 11KBW/Justis Information Law Reports. In rough outline, the case concerned Mr Lyons’ complaints about two disclosures about him made by the police authority to regulatory/licensing bodies. The police had said that he was recorded on the Scottish Intelligence Database as having been involved in serious organised crime. Mr Lyons denied such involvement, and sued for defamation and damages under section 13 of the DPA.
His defamation claim failed because the police’s communications were made in circumstances which attracted qualified privilege, and were not tainted by malice.
The DPA claim failed too. The accuracy requirement of the fourth data protection principle had not been breached, because even if “Mr Lyons is involved in crime” were inaccurate, “Mr Lyons is recorded on the database as being involved in crime” could not be said to be inaccurate. The police’s reporting of that information arguably lent it some credence, but there was no indication on the facts of unequivocal endorsement of these statements such as to constitute the processing of inaccurate personal data by the police. Here the Court considered the Kordowski DPA/defamation case.
There was also an argument that disclosure of this information had been unfair, though (surprisingly) the case does not appear to have been pleaded as such. The essence of the unfairness argument was that, in Mr Lyons’ view, the police should have contextualised its disclosures by explaining to the recipients the source of the intelligence as to his alleged criminal involvement. The Court of Session dismissed this argument: the police could not sensibly disclose the identities of informants, given the DPA rights of the informants themselves, while Mr Lyons would not be entitled to learn through a subject access request who the informants were (see the exemptions under sections 29 and 31 of the DPA).
Here are a few interesting DPA points to emerge from the Court’s discussion. One is if a data controller endorses the veracity of inaccurate information obtained from someone else, that is not of itself a breach of the DPA (see paragraph 21). Some might query this, at least if applied inflexibly.
A second interesting point is that some might argue as follows: “to present decontextualised allegations in a manner which suggests you consider them credible could surely constitute unfairness. Perhaps you were not required to name your sources, but in the interests of fairness you could at least have made clear that you were passing on information obtained from others whom you considered to be credible”. Roughly that sort of argument seems to have been advanced here; no doubt the facts did not ultimately support it, but stepping back from the facts of this case, the (admittedly woolly and under-litigated) notion of fairness would arguably demand such an approach in many cases.
A third and final point of interest: the complainant relied on what he said were breaches by the police of a number of common law principles emerging from judicial review jurisprudence and the like. The Court was not impressed by their relevance to alleged DPA breaches, at least in the context of this case: see paragraphs 26-27, where the Court suggested that for there to be a DPA breach, there must be a particular DPA requirement which has been breached (though admittedly it did observe earlier in its judgment that ‘lawful’ in the context of the first data protection principle has no special meaning). Some might argue that fairness and lawfulness are designed to be broad enough to encompass principles outside of the black letters of DPA law. Indeed, Article 8 ECHR is increasingly the focus of arguments as to the lawfulness of processing: see for example the ICO’s enforcement notice concerning the use of ANPR cameras in the policing context, issued last week.
In other words, the DPA is not designed to be an entirely self-contained legal world, but rather to protect personal information by reference to all considerations having a bearing on what is being done with that individual’s information, whether or not they are listed by name in the DPA. This is not necessarily a point of disagreement with the Lyons outcome, but a broader observation about what kind of a creature the DPA is, or is intended to be.
Robin Hopkins (@hopkinsrobin)