Data protection: trends, possibilities and FOI disclosures

April 29th, 2013 by Robin Hopkins

At 11KBW’s information law seminar in May, one of the discussion topics was ‘the future of data protection’. Here are some further thoughts on some interesting trends and developments.

Progress at the EU level

A major issue on this front is of course progress on the draft EU Data Protection Regulation – on which see this blog post from the ICO’s David Smith for an overview of the issues currently attracting the most debate. While that negotiation process runs its course, the Article 29 Working Party continues to provide influential guidance for users and regulators on some of the thorniest data protection issues. Its most recent opinion addresses purpose limitation, i.e. the circumstances under which data obtained for one purpose can be put to another. A summary of its views is available here.

Subject access requests

Turning to domestic DPA litigation in the UK, practitioners should watch out for a number of other developments (actual or potential) over the coming months. On the subject access request front, for example, data controllers have tended to take comfort from two themes in recent judgments (such as Elliott and Abadir, both reported on Panopticon). In short, the courts in those cases have agreed that (i) data controllers need only carry out reasonable and proportionate searches, and (ii) that section 7(9) claims being pursued for the collateral purpose of aiding other substantive litigation will be an abuse of process.

Data controllers should, however, note that neither of those points is free from doubt: there are plenty who doubt the legal soundness of the proportionality point, and the abuse of process point has arisen for section 7(9) claims to the court – it should not, in other words, be relied upon too readily to refuse requests themselves.

Damages

Damages under section 13 of the DPA is another area of potentially important change. The Halliday v Creation Consumer Finance case (briefly reported by Panopticon) has been given further discussion in the Criminal Law & Justice Weekly here. Based on that information, perhaps the most interesting point is this: defendants have rightly taken comfort from the requirement under section 13 that compensation for distress can be awarded only where damage has also been suffered. In Halliday, however, nominal damages (of £1) were awarded, thereby apparently fulfilling the ‘damage’ requirement and opening the door for a ‘distress’ award (though note that Panopticon has not yet seen a full judgment from the Court of Appeal in this case, so do not take this as a definitive account). If that approach becomes standard practice, claimants may be in much stronger positions for seeking damages.

A further potential development on the damages front arises out of monetary penalty notices: data controllers who are subject to hefty penalties by the ICO may in some cases also find themselves facing section 13 claims from the affected data subjects themselves, presenting a worrying prospect of paying out twice for the same mistake.

Disclosure of personal data in the FOIA context

In general terms, requesters struggle to obtain the personal data of others through FOIA requests. A couple of very recent decisions have, however, gone the other way.

In White v IC and Carmarthenshire County Council (EA/2012/0238), the First-Tier Tribunal allowed the requester’s appeal and ordered disclosure of a list of licensed dog-breeders in the council’s area. In particular, it concluded that (paragraphs 21-23):

“…the Tribunal believes – on the facts of this case – that an important factor for any assessment in relation to the “fairness” of the disclosure of the personal data is best discovered from the context in which the personal data was provided to the Council in the first place.

22. The context, here, is to secure a commercial licence required by law to breed dogs. That license is necessary for the local authority to know who the licensed dog breeders in that area are, and so that the law can be enforced and welfare checks can be conducted as and when necessary in relation to the welfare of the dogs being bred commercially.

23. Licensing – in the ordinary course of things – is a public regulatory process. Indeed it was a public process in Carmarthenshire, in relation to the information that is at the core of this appeal, until the Council changed its policy in 2008.”

The Tribunal was unimpressed by the suggestive language of a survey of dog breeders which the council had carried out to support its case for non-disclosure. It also noted that a neighbouring council had disclosed such information.

The First-Tier Tribunal issued its decision in Dicker v IC (EA/2012/0250) today. It allowed the requester’s appeal and ordered disclosure of the salary of the chief executive of the NHS Surrey PCT over specified time periods, including total remuneration, expenses allowance, pension contributions and benefit details. As to legitimate interests in disclosure, the Tribunal said that (paragraph 13):

“In this case the arrangements (including secondment and recharge from another public authority at one stage) mean that the arrangements are not as transparent as might be wished and it is not entirely clear from the information published (as opposed to the assurances given) that the national pay guidance has been complied with. Mr Dicker asserted that the CEO was paid in excess of the national framework. The Tribunal was satisfied that there was a legitimate public interest in demonstrating that the national framework had been complied with and that the published information did not properly establish this”.

On the questions of distress and privacy infringements, the Tribunal took this view (paragraph 14):

“The CEO is a prominent public servant discharging heavy responsibilities who must expect to be scrutinised. Individuals in such circumstances are rational, efficient, hard-working and robust. They are fully entitled to a high degree of respect for their private lives. However the protection of personal information about their families and their health is a very different matter from having in the public domain information about income… The Tribunal simply cannot accept that anyone in such a role would feel the slightest distress, or consider that there has been any intrusion or that they would be prejudiced in any way by such information. From the perspective of the individual such information is essentially trivial; indeed, in other European societies, such information would be routinely available.”

If this approach were to become standard, the implications for public authorities would be significant.

Further, there are two very important personal data FOIA cases to look out for in the coming months. Following its decision in the Edem case late in 2012, the Upper Tribunal’s next consideration of personal data in the FOIA context is the appeal in the Morley v IC & Surrey Heath Borough Council (EA/2011/0173) case, in which the Tribunal – in a majority decision in which Facebook disclosures played a significant part – ordered the disclosure of names of certain youth councillors.

More importantly, the Supreme Court will hear an appeal from the Scottish Court of Session in July about a FOISA request for the number of individuals employed by the Council on specific points in the pay structure. The council relied on the personal data exemption (contending that individuals could be identified from the requested information), but the Scottish Information Commissioner ordered disclosure and succeeded before Scotland’s highest court. The Supreme Court will consider issues including the approach to ‘legitimate interests’ under condition 6(1) of schedule 2 to the DPA (the condition most often relied upon in support of disclosing personal data to the public). The case is likely to have far-reaching implications. For more detail, see Alistair Sloan’s blog.

Panopticon will, as ever, keep its eye on these and other related developments.

Robin Hopkins

Tags: , , , , , ,
Posted in INFORMATION LAW | Comments Off on Data protection: trends, possibilities and FOI disclosures

Privacy and data protection developments in 2013: Google, Facebook, Leveson and more

March 11th, 2013 by Robin Hopkins

Data protection law was designed to be a fundamental and concrete dimension of the individual’s right to privacy, the primary safeguard against misuse of personal information. Given those ambitions, it is surprisingly rarely litigated in the UK. It also attracts criticism as imposing burdensome bureaucracy but delivering little in the way of tangible protection in a digital age. Arguably then, data protection law has tended to punch below its weight. There are a number of reasons for this.

One is that Directive 95/46/EC, the bedrock of data protection laws in the European Union, is the product of a largely pre-digital world; its drafters can scarcely have imagined the ubiquity of Google, Twitter, Facebook and the like.

Another is that in the UK, the evolution of Article 8 ECHR and common law privacy and breach of confidence actions has tended to deprive the Data Protection Act 1998 of the oxygen of litigation – before the House of Lords in Campbell v MGN [2004] UKHL 22, for example, it was agreed that the DPA cause of action “added nothing” to the supermodel’s breach of confidence claim (para. 130).

A further factor is that the DPA 1998 has historically lacked teeth: a court’s discretion to enforce subject access rights under s. 7(9) is “general and untrammelled” (Durant v FSA [2003] EWCA Civ 1746 at para. 74); damages under s. 13 can only be awarded if financial loss has been incurred, and the Information Commissioner has, until recently, lacked robust enforcement powers.

This landscape is, however, undergoing very significant changes which (one hopes) will improve data protection’s fitness for purpose and amplify its contribution to privacy law. Here is an overview of some of the more notable developments so far in 2013.

The draft Data Protection Regulation

The most fundamental feature of this landscape is of course EU law. The draft DP Regulation, paired with a draft Directive tailored to the crime and security contexts, was leaked in December 2011 and published in January 2012 (see Panopticon’s analysis here). The draft Regulation, unlike its predecessor would be directly effective and therefore not dependent on implementation through member states’ domestic legislation. Its overarching aim is harmonisation of data protection standards across the EU: it includes a mechanism for achieving consistency, and a ‘one-stop shop’ regulatory approach (i.e. multinationals are answerable only to their ‘home’ data protection authority). It also tweaks the law on international data transfers, proposes that most organisations have designated data protection officers, offers individuals a ‘right to be forgotten’ and proposes eye-watering monetary penalties for data protection breaches.

Negotiations on that draft Regulation are in full swing: the European Parliament and the Council of the European Union’s DAPIX (Data Protection and Information Exchange) subgroup working on their recommendations separately before coming together to approve the final text (for more detail on the process, see the ICO’s outline here).

What changes, if any, should be made to the draft before it is finalised? That rather depends on who you ask.

In January 2013, the UK government set out its views on the draft Regulation. It did so in the form of its response to the recommendations of the Justice Select Committee following the latter’s examination of the draft Regulation. This is effectively the government’s current negotiation stance at the EU table. It opposes direct effect (i.e. it wants a directive rather than a regulation), thinks the ‘right to be forgotten’ as drafted is misconceived, favours charging for subject access requests and opposes the mandatory data protection officer requirement. The government considers that promoters of the draft have substantially overestimated the savings which the draft would deliver to business. The government also “believes that the supervisory authorities should have more discretion in the imposition of fines and that the proposed removal of discretion, combined with the higher levels of fines, could create an overly risk-averse environment for data controllers”. For more on its stance, see here.

The ICO has also has significant concerns. It opposes the two-stream approach (a mainstream Regulation and a crime-focused Directive) and seeks clarity on psedonymised data and non-obvious identifiers such as logs of IP addresses. It thinks the EU needs to be realistic about a ‘right to be forgotten’ and about its power over non-EU data controllers. It considers the current proposal to be “too prescriptive in terms of its administrative detail” and unduly burdensome for small and medium-sized enterprises in particular.

Interestingly, while the ICO favours consistency in terms of sanctions, it cautions against total harmonisation on all fronts: “Different Member States have different legal traditions. What is allowed by law is not spelled out in the UK in the way that it is in some other countries’ legal systems. The proposed legislation needs to reflect this, particularly in relation to the concept of ‘legitimate interests’.” For more on the ICO’s current thinking, see here.

Those then are the most influential UK perspectives. At an EU level, the European Parliament’s report on the draft Regulation is more wholeheartedly supportive. The European Parliament’s Industry Committee is somewhat more business-friendly in its focus, emphasising the importance of EU-wide consistency and a ‘one-stop shop’. Its message is clear: business needs certainty on data protection requirements. It also urges further exemptions from data protection duties for small and medium-sized enterprises “which are the backbone of Europe’s economy”. The Industry Committee’s views are available here.

Negotiations continue, the aim being to finalise the text by mid-2013. The European Parliament is likely to press for the final text to resemble the draft very closely. On the other hand, Ireland holds the Presidency of the Commission and of DAPIX – until mid-2013. Its perspective is probably closer to the UK ICO’s in tenor. There are good prospects of at least some of their views to be reflected in the final draft.

A number of the themes of the draft Regulation and the current negotiations are already surfacing in litigation, as explained below.

The Leveson Report

Data protection legislation in the UK will be affected not only by EU developments but by domestic ones too.

In recent weeks, debate about Leveson LJ’s report on the culture, practices and ethics of the press has tended to focus on the Defamation Bill which is currently scraping its way through Parliament. In particular, the debate concerns the merits of an apparently-Leveson inspired amendment tabled by Lord Puttnam which, some argue, threatens to derail this legislative overhaul of libel law in the UK (for one angle on this issue, see David Allen Green’s piece in the New Statesman here).

The Leveson Report also included a number of recommendations for changes to the DPA 1998 (see Panopticon’s posts here and here). These included overhauling and expanding the reach of the ICO and allowing courts to award damages even where no financial loss has been suffered (arguably a befitting change to a regime concerned at heart with personal privacy).

The thorniest of Leveson LJ’s DPA recommendations, however, concerned the wide-ranging ‘journalism exemption’ provided by s. 32. The ICO has begun work on a code of practice on the scope and meaning of this exemption. It has conducted a ‘framework consultation’, i.e. one seeking views on the questions to be addressed by the code, rather than the answers at this stage (further consultation will happen once a code has been drafted).

There is potential for this code to exert great influence: s. 32(3) says that in considering whether “the belief of a data controller that publication would be in the public interest was or is a reasonable one, regard may be had to his compliance with” any relevant code of practice – if it has been designated by order of the Secretary of State for this purpose. There is as yet no indication of an appetite for such designation, but it is hoped that, the wiser the code, the stronger the impetus to designate it.

The ICO’s framework consultation closes on 15 March. Watch out for (and respond to) the full consultation in due course.

Google – confidentiality, informed consent and data-sharing

Google (the closest current thing to a real ‘panopticon’?) has been the subject of a flurry of important recent developments.

First, certain EU data protection bodies intend to take “repressive action” against some of Google’s personal data practices. These bodies include the French authority, CNIL (the Commission nationale de l’informatique et des libertés) and the Article 29 Working Party (an advisory body made of data protection representatives from member states). In October 2012, following an investigation led by CNIL, the Working Party raised what it saw as deficiencies in Google’s confidentiality rules. It recommended, for example, that Google provide users with clearer information on issues such as how personal data is shared across Google’s services, and on Google’s retention periods for personal data. Google was asked to respond within four months. CNIL has reported in recent weeks that Google did not respond. The next step is for the Working Party “to set up a working group, led by the CNIL, in order to coordinate their repressive action which should take place before summer”. It is not clear what type of “repressive action” is envisaged.

Google and the ‘right to be forgotten’

Second, Google is currently involved in litigation against the Spanish data protection authority in the Court of Justice of the EU. The case arises out of complaints made to that authority by a number of Spanish citizens whose names, when Googled, generated results linking them to false, inaccurate or out-of-date information (contrary to the data protection principles) – for example an old story mentioning a surgeon’s being charged with criminal negligence, without mentioning that he had been acquitted. The Spanish authority ordered Google to remove the offending entries. Google challenged this order, arguing that it was for the authors or publishers of those websites to remedy such matters. The case was referred to the CJEU by the Spanish courts. The questions referred are available here.

The CJEU considered the case at the end of February, with judgment expected in mid-2013. The case is obviously of enormous relevance to Google’s business model (at least as regards the EU). Also, while much has been made about the ‘right to be forgotten’ codified in the draft EU Regulation (see above), this Google case is effectively about whether that right exists under the current law. For a Google perspective on these issues, see this blog post.

Another development closer to home touches on similar issues. The Court of Appeal gave judgment last month in Tamiz v Google [2013] EWCA Civ 68. Mr Tamiz complained to Google about comments on the ‘London Muslim’ blog (hosted by Google) which he contended were defamatory in nature. He asked Google to remove that blog. He also sought permission to serve proceedings on Google in California for defamation occurring between his request to Google and the taking down of the offending blog. Agreeing with Google, the Court of Appeal declined jurisdiction and permission to serve on Google in California.

Mr Tamiz’ case failed on the facts: given the small number of people who would have viewed this blog post in the relevant period, the extra-territorial proceedings ‘would not be worth the candle’.

The important points for present purposes, however, are these: the Court of Appeal held that there was an arguable case that Google was the ‘publisher’ of those statements for defamation purposes, and that it would not have an unassailable defence under s. 1 of the Defamation Act 1996. Google provided the blogging platform subject to conditions and had the power to block or remove content published in breach of those conditions. Following Mr Tamiz’s complaint, Google knew or ought to have known that it was causing or contributing to the ongoing publication of the offending material.

A ‘publisher’ for defamation purposes is not co-extensive with a ‘data controller’ for DPA purposes. Nonetheless, these issues in Tamiz resonate with those in the Google Spain case, and not just because of their ‘right to be forgotten’ subtext. Both cases raise this question: it is right to hold Google to account for its role in making false, inaccurate or misleading personal information available to members of the public? If it is, another question might also arise in due course: to what extent would Leveson-inspired amendments to the s. 32 DPA 1998 exemption (on which the ICO is consulting) affect service providers like Google?

Facebook, Google and jurisdiction

The Google Spain case also involves an important jurisdictional argument. Google’s headquarters are in California. It argued before the CJEU that Google Spain only sells advertising to the parent company, and that these complaints should therefore be considered under US data protection legislation. In other words, it argues, this is not a matter for EU data protection law at all. The Spanish authority argues that Google Spain’s ‘centre of gravity’ is in Spain: it links to Spanish websites, has a Spanish domain name and processes personal data about Spanish citizens and residents.

Victory for Google on this point would significantly curtail the data protection rights of EU citizens in this context.

Also on jurisdictional matters, Facebook has won an important recent victory in Germany. Schleswig-Holstein’s Data Protection Commissioner had ruled that Facebook’s ‘real names policy’ (i.e. its policy against accounts in psuedonymous names only) was unfair and unlawful. The German administrative court granted Facebook’s application for the suspension of that order on the grounds that the issue should instead be considered by the Irish Data Protection Authority, since Facebook is Dublin-based.

Here then, is an example of ‘one-stop shop’ arguments surfacing under current EU law. The ‘one-stop shop’ principle is clearly very important to businesses. In the Facebook case, it would no doubt say that its ‘home’ regulator understands its business much better and is therefore best equipped to assess the lawfulness of its practices. The future of EU law, however, is as much about consistency across member states as about offering a ‘one-stop shop’. The tension between ‘home ground advantage’ and EU-wide consistency is one of the more interesting practical issues in the current data protection debate.

Enforcement and penalties issued by the ICO

One of the most striking developments in UK data protection law in recent years has been the ICO’s use of its enforcement and (relatively new) monetary penalty powers.

On the enforcement front, the Tribunal has upheld the ICO’s groundbreaking notice issued against Southampton City Council for imposing audio recording requirements in taxis (see Panopticon’s post here).

The issuing of monetary penalties has continued apace, with the ICO having issued in the region of 30 notices in the last two years. In 2013, two have been issued.

One (£150,000) was on the Nursing and Midwifery Council, for losing three unencrypted DVDs relating to a nurse’s misconduct hearing, which included evidence from two vulnerable children. The second (£250,000) was on a private sector firm, Sony Computer Entertainment Europe Limited, following the hacking of Sony’s PlayStation Network Platform in April 2011, which the ICO considered “compromise[ed] the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk.”

In the only decision of its kind to date, the First-Tier Tribunal upheld a monetary penalty notice issued against Central London Community Care NHS Trust for faxing patient details to the wrong number (see Panopticon’s post here). The First-Tier Tribunal refused the Trust permission to appeal against that decision.

Other penalty notices are being appealed to the Tribunal – these include the Scottish Borders notice (which the Tribunal will consider next week) and the Tetrus Telecoms notice, the first to be issued under the Privacy and Electronic Communications Regulations 2003.

It is only a matter of time before the Upper Tribunal or a higher court considers a monetary penalty notice case. At present, however, there is no binding case law. To that extent, the monetary penalty system is a somewhat uncertain business.

The question of EU-wide consistency raises more fundamental uncertainty, especially when one considers the mandatory fining regime proposed in the draft EU Regulation, with fines of up to €1,000,000 or 2% of the data controller’s global annual turnover.

By way of contrast, 13 administrative sanctions for data protection breaches were issued in France in 2012, the highest fine being €20,000. Enforcement in Germany happens at a regional level, with Schleswig-Holstein regarded as on the stricter end; overall however, few fines are issued in Germany. How the ‘one-stop shop’ principle, the consistency mechanism and the proposed new fining regime will be reconciled is at present anyone’s guess.

From a UK perspective, however, the only point of certainty as regards monetary penalty notices is that there will be no slowing down in the ICO’s consideration of such cases in the short- to medium-term.

It is of course too early to say whether the developments outlined above will elevate data protection law from a supporting to a leading role in protecting privacy. It is clear, however, that – love them or hate them – data protection duties are increasingly relevant and demanding.

Robin Hopkins

Tags: , , , , , ,
Posted in INFORMATION LAW | Comments Off on Privacy and data protection developments in 2013: Google, Facebook, Leveson and more

Court of Appeal gives judgment on credit reference agencies and accuracy of personal data

February 20th, 2013 by Robin Hopkins

The fourth data protection principle requires that “personal data shall be accurate and, where necessary, kept up to date”. It does not, however “impose an absolute and unqualified obligation on [data controllers] to ensure the entire accuracy of the data they maintain. Questions of reasonableness arise in the application of the fourth principle, as paragraph 7 of Part II of Schedule I spells out.” This statement by Davis LJ (at para. 80) encapsulates the case of Smeaton v Equifax plc [2013] EWCA Civ 108, in which the Court of Appeal handed down judgment today.

Equifax is a well-known credit reference agency. Between 22 May 2002 and 17 July 2006 Equifax included in its credit file concerning the Respondent, Mr Smeaton, an entry to the effect that he was subject to a bankruptcy order. This was incorrect – that order had been rescinded in 2002.

He was subsequently declined a business loan, with serious detrimental consequences for that business. He brought a claim against Equifax for those business losses and “other losses and distress consequent upon his descent into a chaotic lifestyle”.

Initially, his cause of action was defamation. By the time of trial in 2011, it had become (a) a claim under s. 13 of the Data Protection Act 1998, and (b) a parallel common law tort claim.

The judge, HHJ Thornton QC (having substantially amended the first draft of his judgment following submissions at handing down), found that Equifax had breached the fourth data protection principle (as well as the first and the fifth, though he had heard no argument on these points), that it owed Mr Smeaton a parallel duty in tort and that he had suffered losses as a result of these breaches.

The Court of Appeal disagreed in strong terms, Tomlinson LJ saying this at para. 11 about the judge’s approach and conclusions – particularly on causation:

“In retrospect it is I think unfortunate that the judge attempted to resolve the causation issue in principle, divorced from the question what loss could actually be shown to have been caused by the asserted breaches of duty. I have little doubt that Mr Smeaton believes in all sincerity that a good number of the vicissitudes that have befallen him can be laid at the door of Equifax, but a close examination of the relationship between the losses alleged and the breaches of duty found by the judge would perhaps have introduced something in the way of a reality check. Had the judge looked at both issues together he might I think have had a better opportunity to assess the proposition in the round. As it is, the judge’s conclusion that the breaches of duty which he identified caused Mr Smeaton loss in that they prevented Ability Records from obtaining a loan in and after mid-2006 is in my view not just surprising but seriously aberrant. It is without any reliable foundation and completely unsupported, indeed contradicted, by the only evidence on which the judge could properly rely.”

Turning from the facts of the case and the question of causation to the approach to the fourth data protection principle in general, Tomlinson LJ said this at para. 44:

“The judge was also in my view wrong to regard the mere fact that the data had become inaccurate and remained accessible in its inaccurate form for a number of years as amounting to a “clearly established breach of the fourth principle” – judgment paragraph 106. Paragraph 7 of Part II provides that the fourth principle is not, in circumstances where the data accurately records [erroneous] information obtained by the data controller from the data subject or a third party, to be regarded as contravened if the data controller has, putting it broadly, taken reasonable steps to ensure the accuracy of the data. A conclusion as to contravention cannot in such a case be reached without first considering whether reasonable steps have been taken. As the facts of this case show, that may not always be a straightforward enquiry. Perhaps often it will and it may not therefore usually be difficult to establish a contravention. Once it is concluded that reasonable steps were not taken in this regard, a consumer may seek compensation under s.13. It will then be a defence for the data controller to show that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned. It may be that that enquiry is in substance no different from that required under paragraph 7 of Part II in the limited class of case to which that paragraph refers. However it should be noted that in cases not covered by paragraph 7 a contravention may be established without consideration of the reasonableness of the steps taken by the data controller. In such a case reasonableness would arise only if a defence were mounted under s.13(3).”

Tomlinson LJ then summarised the law and relevant legal guidance on credit reference agencies and bankruptcy proceedings. At para. 59, he concluded that:

“The judge’s approach begins with the observation, at paragraph 95 of the judgment, that erroneous or out of date data which remains on a consumer’s credit file can be particularly damaging. Of course this is true, and nothing I say in this judgment is intended to undermine the importance of the fourth data protection principle. But before deciding what is the ambit of the duty cast upon CRAs to ensure the accuracy of their data, it is necessary to put this important principle into context and to maintain a sense of proportion. In the context of lending, arrangements have been put in place to ensure that an applicant for credit should not suffer permanent damage as a result of inaccurate information appearing on his file. As recorded above these safeguards are set out in the Guide to Credit Scoring and are further explained in at least two other published documents…. The judge made no reference to these arrangements which are in my view relevant to the question how onerous a duty should be imposed upon a CRA to ensure that its data is accurate. I agree with Mr Handyside that in most cases of applications for credit failed on account of incorrect data the harm likely to be suffered is temporary inconvenience. It is possible that the judge overlooked this as a result of his flawed conclusion that it was inaccurate data, or more precisely the alleged breach of duty which gave rise thereto, which prevented Mr Smeaton / Ability Records from obtaining credit in and after July 2006.”

He continued at para 62:

“The judge ought in my view to have taken into account that these various publications demonstrate that both the methods by which CRAs collected and updated their data and the shortcomings in those methods were well-known to and understood by the Information Commissioner and the Insolvency Service.”

Tomlinson LJ also concluded (at paras. 67-68) that part of the judge’s conclusions on DPA breach “amounts to a conclusion that Equifax was in breach of the duty required of it under the DPA because it failed to attempt to persuade the Secretary of State and the Insolvency Service to initiate modifications to the legislative and regulatory framework and in particular failed to secure the reversal of the legislative choice made in 1986 no longer to require the automatic advertisement of annulments and rescissions. I do not consider that this is a realistic conclusion. Self-evidently it is not realistic to conclude that an exercise of this sort was either necessary or feasible in relation to a tiny number of cases where the consequences of inaccuracy could not normally be expected to be anything other than temporary inconvenience. A duty the content of which is to lobby for a change in the law must be very uncertain in its ambit and extent and in my view is implausible.”

Finally, not only had the judge erred in his approach to causation and the fourth data protection principle, he was also wrong to find that there was a parallel duty in common law: the House of Lords said in Customs and Excise Commissioners v Barclays Bank [2007] 181 that statutory duties cannot generate parallel common law ones, and on the raditional three-fold test of foreseeability, proximity and whether it is fair, just and reasonable to impose a duty, the answer here would also be ‘no’.

The judgment will be welcomed not only by credit reference agencies, but by all those data controllers whose particular circumstances mean that data inaccuracy is, best efforts notwithstanding, an occupational hazard.

For another blog post on this judgment, see Information Rights and Wrongs, where Jon Baines was quick off the mark.

Robin Hopkins

Tags: , , , , ,
Posted in INFORMATION LAW | Comments Off on Court of Appeal gives judgment on credit reference agencies and accuracy of personal data

Police Surveillance – New tribunal decision

June 20th, 2012 by Anya Proops

Earlier this month Robin Hopkins blogged on a recent admin court judgment applying Article 8 to the police’s act of retaining data on a protestor (see his post on the Catt case here). This week the Information Tribunal handed down a judgment concerning another aspect of police surveillance, namely the automatic number-plate recognition (ANPR) system, which is now in widespread use across Great Britain. In Mathieson v IC & Devon & Cornwall Constabulary (EA/2010/0174), Mr Mathieson, a Guardian journalist, requested disclosure from the Constabulary of the location of all the ANPR cameras within the area of the Devon & Cornwall Constabulary. The Constabulary refused disclosure on an application of ss. 24 (national security) and 31 (prevention of crime) FOIA. The Commissioner upheld the Constabulary’s refusal notice on the basis that the location information was exempt from disclosure under s. 31. Mr Mathieson appealed against the Commissioner’s decision.

At the hearing before the Tribunal, it was conceded on behalf of Mr Mathieson that, on all the evidence, both ss. 24 and 31 were engaged in respect of the location information. The key issue which the Tribunal was called upon to determine was whether the public interest balance nonetheless weighed in favour of disclosure. In summary, the Tribunal held that the use of the ANPR system by the Constabulary inevitably gave rise to serious civil liberty concerns. This was not least because the system indiscriminately recorded the number-plate of every single vehicle passing before the individual cameras, irrespective of whether the vehicles may be being used as part of a criminal enterprise or as a result of individuals innocently and lawfully going about their day to day business. However, it nonetheless went on to find that the public interest balance weighed firmly in favour of maintaining the exemptions. This was because, on all the available evidence, it was clear that revealing the location of the individual cameras within Devon and Cornwall would have enhanced the ability of criminals, including terrorists, effectively to bypass the ANPR system, thus helping them to evade detection and prosecution.

In the course of its decision, the Tribunal held that: ‘there is always likely to be a substantial public interest in maintaining the exemptions we are concerned with, in particular that provided by section 24 which relates to national security’ (§8). It also held that, whilst disclosure of the location information may only have tipped the balance slightly in favour of the criminals, not least because they may in any event have been able to identify the cameras through their own efforts, that was sufficient to result in a situation where the location information must be treated as exempt (§10).

Notably, a separate question was raised during the course of the appeal as to whether the information captured by the ANPR system amounted to ‘personal data’ in the hands of the Constabulary. Mr Mathieson and the Commissioner submitted that it did. The Constabulary disputed this conclusion. Ultimately, the Tribunal took the view that it did not need to resolve this dispute for the purposes of determining the appeal.

I am limited in what I can say about this case, having appeared on behalf of the Commissioner. However, it is clear from the judgment that there is an abiding issue as to the legality of the ANPR system and, in particular, whether it unjustifiably interferes with the right to privacy under Article 8 and/or with the data subject’s rights under the DPA. Whilst this is a nettle which the Tribunal itself considered it did not need to grasp in the circumstances of the Mathieson appeal, there can be little doubt but that it is a nettle which will be subject to judicial examination in the future.

Anya Proops

Tags: , , , ,
Posted in Uncategorized | Comments Off on Police Surveillance – New tribunal decision

Important new privacy judgment: police retention of protestor’s data not an Article 8 infringement

June 1st, 2012 by Robin Hopkins

The Admin Court (Gross LJ and Irwin J) has handed down judgment this week in Catt v Association of Chief Police Officers and Commissioner of Police of the Metropolis [2012] EWHC 1471 (Admin). It is an extremely important judgment on Article 8 ECHR in the context of personal information retained for policing purposes. It is also notable for its analysis of protest as an inherently public activity.

The background

ACPO launched a National Domestic Extremism Database containing information provided by police forces. The Metropolitan Police subsequently assumed responsibility for the database. The database contained information relating to the attendance by the claimant (an 87-year old protestor of good character) at various political protests made by a group called “Smash EDO”. Smash EDO opposes a US arms manufacturer with a factory in Brighton; its activities have often involved violent disorder and criminality (though apparently not by the claimant), necessitating a substantial police presence. Police officers overtly gathered information (including photographic and video material) at those protests. They then compiled reports on the protests, identifying a number of individuals including the claimant. The information at issue in this case comprised those sorts of reports – they were about incidents rather than the claimant per se, although the claimant was identified in the reports. The defendants retained that information pursuant to the statutory Code of Practice on the Management of Police Information, made under the Police Acts 1996 and 1997, and associated Guidance on the Management of Police Information.

The issues

The overarching issue was whether this infringed Mr Catt’s rights under Article 8 ECHR, the right to respect for private life.

It is important (if not entirely surprising) to note how the parties and the Court saw Article 8 and the Data Protection Act 1998 interacting (see paragraph 6(iv)). All agreed that the DPA was theoretically in play, but added nothing: if the Article 8 claim succeeded then the DPA claim was not needed; if Article 8 was engaged, but the interference was justified, then the DPA claim would automatically fail; if Article 8 was not engaged, the prospects of success under the DPA were negligibly remote.

The issues were therefore: (i) whether there was an interference with the claimant’s rights under Article 8(1), and (ii) if so, whether this interference was justified. The Court said no on both counts, by application of the authorities to three crucial findings.

Crucial findings

First, the Court accepted the need for such information to be retained by the police. Gross LJ said this at paragraph 19:

“… the use of intelligence is a fundamental policing tool.  Investigators need the ability to identify relationships within protest groups. Likewise, they need to be able to identify individuals associated with the use of particular tactics, together with those with a propensity to violence, disorderly behaviour and organised coordinated actions.  Although Mr. Catt has not been convicted of any offence, the evidence, which again I accept, is that his close association with violent members of Smash EDO and knowledge of this association is of intelligence value.  Such knowledge forms part of a “far wider picture of information”… needed by the police, inter alia, to investigate incidents of criminality and to assist the policing of future events.”

Secondly, “the essential nature of such activity [protesting] is that it is of a public nature. Indeed, its very object is to make others aware of his views and the causes to which he lends his support” (paragraph 36).

Thirdly, given the violent disorder which characterised Smash EDO’s activities, it was reasonable to expect the police to gather and retain such information. This was especially so as this information had been gathered by over rather than covert policing.

Issue 1: Article 8(1) neither engaged nor infringed

Given those findings, the Court concluded that the claimant’s rights under Article 8(1) were not engaged at all. The claimant’s reliance on R (Wood) v Commr of Police of the Metropolis [2009] EWCA Civ 414 did not assist: the facts were different, and it would be “unreal and unreasonable” to find an infringement of Article 8(1) in the present case.

Issue 2: interference would in any event be justified

The Court went on to conclude that even if there had been an interference with Article 8(1), this would be justified. The claimant had argued inter alia that he was not personally suspected of criminality and that there was no democratic oversight of the database system. The defendant argued inter alia that, given Smash EDO’s activities, the retention of this sort of information – police reports as opposed, for example, to photos or video material – was reasonably necessary and proportionate.

Gross LJ (with whom Irwin J agreed) had “no hesitation in concluding that any interference with Mr. Catt’s rights was amply justified under Art. 8.2”.

His reasons included the following (paragraph 64):

“Any interference with Mr. Catt’s Art. 8.1 rights was at the margins. The reports, the product of overt policing, did no more than record Mr. Catt’s public activities, the very object of which was to convey his views to as wide an audience as possible.  The reports were compiled and retained for intelligence purposes, in accordance with the Code and the Guidance, with a view to an appropriate police response to a campaign marred by serious, persistent criminality and posing a significant public order problem.”

Irwin J agreed that there was no expectation of privacy here, applying the approach in Campbell v MGN [2004] UKHL 22.

At paragraph 70 he added that it was not easy to see “… how it can affect the engagement of Art 8.1 that the material is recorded by police officers as opposed, say, to journalists; or collated and held within the National Extremism Database, as opposed to a local history archive in the town where the demonstrations have been held.  The latter distinction was advanced by Mr Owen (“the entries were not recorded on any database…”).  The issue is not whether the individual concerned likes or dislikes the thought of the data being held by this or that body: the issue is whether a reasonable expectation of privacy arises.  In my judgment, it does not arise in respect of any of the information in this case.”

Irwin J did, however, add this observation at paragraph 70, which might give rise to interesting arguments in future cases on such issues:

“Different questions might arise if material recorded in that context were collated with material which was private in its nature.  That does not arise in this case.”

What about ongoing retention of this information?

Gross LJ thought it sensible for the police to review its retention of this sort of information when the Smash EDO campaign concludes, but he agreed with Irwin J’s comments at paragraph that 73:

“… even when the Smash EDO campaign ends, it may yet be justifiable to retain some or all of this information.  The picture here is that there are connections between this group and parts of the animal rights movement, active before this group was formed.  It may be a legitimate function of intelligence to keep records of this group after it has ceased to be active, the better to understand the risks associated with after-coming groups with overlapping membership.  To my mind, there is no expectation that a review at a suitable point in the future will conclude otherwise.”

Robin Hopkins

Tags: , , , , , ,
Posted in INFORMATION LAW | Comments Off on Important new privacy judgment: police retention of protestor’s data not an Article 8 infringement

SUBJECT ACCESS REQUESTS – MIXED MOTIVES AND PROPORTIONATE SEARCHES

April 25th, 2012 by Anya Proops

There are two questions which are frequently posed by data controllers in receipt of wide-ranging subject access requests. First, if the request is made in circumstances where the requester is pursuing litigation against the data controller, the data controller will often query whether the request can be refused on the ground that it is being pursued for improper collateral purposes. Second, if responding to the request comprehensively would be disproportionately resource intensive, the data controller will typically ask whether it is entitled to limit its search to one which is reasonable and proportionate in the circumstances. As the recent case of Elliot v Lloyds TSB Bank PLC & Anor (Case No: 0LS51908) illustrates, answering such questions is rarely straightforward.

The background to Elliott was that Mr Elliott was pursuing a grievance against Lloyds in connection with certain commercial matters. With a view to furthering his grievance, Mr Elliott submitted a request to Lloyds for pre-action disclosure. That request was refused on the ground that it did not comply with CPR 31.16. Thereafter, Mr Elliott submitted wide-ranging subject access requests to Lloyds. A considerable amount of information was disclosed by Lloyds in response to the requests. However, Mr Elliott was not satisfied with the material disclosed to him. He considered that further searches ought to be undertaken. Accordingly, he brought a claim against Lloyds in the County Court under s. 7(9) DPA (s. 7(9) affords the court a wide discretion to order a data controller to comply with a subject access request if it is satisfied that the data controller has not dealt with the request in accordance with the legislation). Lloyds sought to resist the claim on two grounds: first, the claim was an abuse of process as it was being pursued for the collateral purposes of furthering Mr Elliott’s interests in prospective commercial litigation against Lloyds; second, the claim should fail on the basis that the further searches for data which Mr Elliott was insisting should be conducted would be disproportionate in all the circumstances. Thus, both Mr Elliott’s motive and the issue of the proportionality of Lloyd’s searches were at stake in the litigation.

The Motive Issue

Mr Elliott’s case on the motive issue was that he was pursuing the claim for a legitimate purpose, namely that he wanted to find out whether Lloyds had been misusing his personal data (e.g. by improperly disclosing it to a third party). Lloyd’s position on the motive issue was as follows: either Mr Elliot was pursuing the claim purely in order to further his interests in the prospective commercial litigation or this was the dominant motivation for the claim; either way the s. 7(9) claim was being pursued for an improper collateral purpose and, as such, amounted to an abuse of process.

Following Durant v Financial Services Authority [2003] 1746, the judge (HHJ Behrens) readily accepted that, if the claim was being pursued purely for the collateral purpose of furthering Mr Elliott’s position in other prospective litigation, that would amount to an abuse of process which would justify the claim being struck out. However, he went on to query what the position would be if Mr Elliott in fact had mixed motives (i.e. he wanted the data in order to further the prospective commercial litigation but also wanted to discover whether his data had in fact been misused by Lloyds). Having considered the judgment of the High Court in Iesini v Westrip Holdings [2011] 1 BCLC 498, the judge took the view that, in a case involving mixed motives, the test which should be applied was a ‘but for’ test. Thus, if the claim would not have been brought but for the claimant’s collateral purpose in furthering his interests in the other litigation, the claim would have been brought for an improper purpose and would be liable to be struck out as an abuse of process. On the other hand, if the s. 7(9) claim would have been brought irrespective of the other prospective litigation, then it was not an abuse of process. Notably, the judge rejected an alternative test proposed by Lloyds, namely that the s. 7(9) claim would be an abuse of process if the ‘dominant purpose’ of the claim was an improper collateral purpose. The judge concluded that the dominant purpose test could not be reconciled with the approach approved by the court in Iesini.

With respect to Mr Elliott, the judge concluded that: he had mixed motives in bringing the s. 7(9) claim; however, he would still have brought the claim in the absence of the prospective commercial litigation and, as such, his claim under the DPA was not an abuse of process.

Proportionate Search

On the proportionate search issue, Mr Elliott argued that a data controller was not entitled to limit the scope of its search for personal data by reference to concepts such as reasonableness and proportionality. Insofar as the concept of proportionality was relevant at all under the DPA, it was relevant not to the search process per se but rather to the process of supplying the data to the applicant once it had been located (see further s. 8(2)(a) DPA which disapplies the general duty to provide the applicant with ‘a copy of the information in permanent form’ in circumstances where the supply of such a copy ‘is not possible or would involve disproportionate effort’). In support of these arguments, Mr Elliott relied on guidance published by the Information Commissioner.

Lloyds argued that this was not the correct approach and that, following Ezsias v Welsh Ministers [2007] All ER (D) 65, it was not obliged under the DPA to conduct a search requiring unreasonable or disproportionate effort. Lloyds further contended that, to the extent that the Commissioner’s guidance took a different view of the principles approved in Ezsias, the guidance was wrong and ought not to be followed. Lloyds argued that it would be disproportionate to conduct the further searches demanded by Mr Elliott. The judge accepted Lloyds’ case on the disproportionate effort issue. He agreed that the further searches sought by Mr Elliott were disproportionate and, hence, were not required under the DPA.

The court’s judgment on the proportionality issue is likely to offer considerable relief to data controllers, many of whom struggle under the burdens imposed by wide-ranging subject access requests. It remains to be seen whether the Commissioner will, in response to this judgment, seek to review his guidance. As for the judgment on the motive issue, it is worth noting that the court heard evidence directly from Mr Elliott on this issue and, further, that it found him to be ‘an honest witness’.

Finally, it is worth noting that, despite having won on the disproportionate search issue, Lloyds was still required to pay a substantial part of Mr Elliott’s costs. This was in no small part because Lloyds had disclosed a substantial amount of new data following the lodging of Mr Eliott’s claim. 11KBW’s James Cornwell acted for Lloyds.

Anya Proops

Tags: ,
Posted in Uncategorized | Comments Off on SUBJECT ACCESS REQUESTS – MIXED MOTIVES AND PROPORTIONATE SEARCHES

THE INFORMATION COMMISSIONER’S ROLE UNDER THE DPA

December 13th, 2011 by Rachel Kamm

An interesting issue about the scope of the DPA arose in The Law Society and others v Rick Kordowski [2011] EWHC 3185 (QB). The Law Society and a number of firms of solicitors sought an injunction requiring the Defendant, the publisher of the “Solicitors from Hell” website, to cease publication of the website in its entirety and to restrain him from publishing any similar website. The causes of action relied upon were libel, harassment under the Protection from Harassment Act 1997 and breach of the Data Protection Act 1998.

The Defendant was the data controller of personal data, including sensitive personal data (for example, allegations made by a third party on the Defendant’s website about the alleged commission of an offence by a solicitor). Mr Justice Tugendhat did not mince his words in finding that the Defendant was in breach of the DPA:

In breach of the First Data Protection Principle the Defendant has not processed the personal data of the solicitors and other individuals named on the Website fairly and lawfully. The Defendant has processed the said personal data in a grossly unfair and unlawful way by, in particular, (a) publishing highly offensive defamatory allegations about these solicitors and other individuals on the Website; (b) pursuing a course of conduct against these solicitors and other individuals that amounts to harassment contrary to the PHA; (c) on numerous occasions refusing to remove the posting about a solicitor or other individual unless the Defendant is paid a fee. This is not permitted by law and is disreputable. (d) None of the conditions in Schedule 2 of the DPA 1998 is met by the Defendant in respect of the processing of the said personal data on the Website.

In breach of the Fourth Data Protection Principle the personal and sensitive personal data about solicitors and other individuals processed by the Defendant and published on the Website is not accurate, indeed it is usually seriously inaccurate. The Claimants rely upon the following, amongst other matters: (a) The wholly inaccurate and untrue allegations processed and published by the Defendant via the Website about the Third Claimant; (b) The Schedule of Complaints which sets out and describes how the personal data of solicitors and other individuals processed and published by the Defendant via the Website is inaccurate. (c) The Defendant’s failed attempts to justify defamatory allegations in the many cases brought against him for libel in respect of the defamatory publications on the Website as evidence of inaccurate information; in breach of the Sixth Data Protection Principle the Defendant did (and does) not process personal data of the solicitors and other individuals who are Individual Complainants in accordance with their rights, as he has failed to comply with the request made in the Complaints’ solicitor’s letter dated 12 August 2011.

…on 12 August 2011 the Claimants’ solicitor gave the Defendant formal notice under section 10(1) of the DPA that the individual complainants, who include the Third Claimant, required the Defendant to cease the processing of their personal data (i.e. to remove the offending material from the Website and destroy any copies retained elsewhere) as the processing of this data was (and continues) causing them unwarranted damage and distress. Additionally, the Claimants’ solicitor required the Defendant to agree not to process any data in the manner complained of in the future. As a result of the Defendant’s failure to comply with the Notice, he has breached the Sixth Data Protection Principle. The Defendant did not state that he considered the notice to be unjustified (as he could have done under section 10(3)(b) of the DPA).”

Not surprisingly, given these findings, Mr Justice Tugendhat concluded that the Third Claimant was entitled to an order under section 10(4), requiring the Defendant to comply with the Notice. He went on to comment on the scope of the DPA and the Information Commissioner’s powers.  The background was that the Chief Executive of the Law Society had written to the Information Commissioner to complain about the website. The Information Commissioner had responded that the DPA was not designed to deal with this kind of case. The Commissioner considered that it was “not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this“. He relied on section 36 DPA, which provides that “Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the Data Protection principles under provisions of Parts II [rights of data subjects and others] and III [Notification by data controllers]”. The Commissioner also highlighted the practical difficulties of trying to use the DPA to regulate material posted on websites.

Mr Justice Tugendhat expressed considerable sympathy with the Commissioner’s comments about the practical difficulties in cases such as this. However, his starting point was that the offensive comments on the website in question were unlawful and that the DPA required that data be processed lawfully. He did not see how the exemption in section 36 DPA could apply in this case.  Mr Justice Tugendhat commented that had  the Defendant been publishing information in the public interest on his website, he could have relied on the exemption relating to journalism in section 32 DPA. Further, the fact that a claimant may have claims under common law torts or the Human Rights Act 1998, did not prevent enforcement under the DPA. He concluded by commenting that where there is any room for argument as to whether processing is unlawful under the general law, it may be more appropriate that a complainant should be required to pursue his remedy in the courts and further that there be many grounds on which the Commissioner may properly decline to exercise his powers under Part V DPA. However, where there is no room for argument that processing is unlawful, it was more difficult to say that the matter was not one which could be dealt with under Part V DPA. This ruling potentially has significant implications for the Commissioner in practice.

Rachel Kamm

Tags: , , , ,
Posted in INFORMATION LAW | Comments Off on THE INFORMATION COMMISSIONER’S ROLE UNDER THE DPA

JUDICIAL REVIEW AND THE DPA: PATIENT’S CONSENT VITAL

November 7th, 2011 by Robin Hopkins

The Court of Appeal last week gave judgment in R (on the application of TA) v North East London NHS Trust (not yet reported or publicly available). The case is an interesting illustration of (a) the Data Protection Act 1998 being used as a ‘shield’ in an application for judicial review, and (b) the vital importance of patient consent in the use of medical records.

TA was engaged in family court proceedings with his ex-wife concerning custody of their children. Part of her evidence in support of her suitability to care for the children was the report of a psychiatrist at the defendant NHS Trust. According to that report, TA’s ex-wife did not suffer from a mental health disorder. TA complained to the Trust about this report. It refused to investigate the refusal because to do so would require it to access his ex-wife’s medical records. She had refused her consent to that access, and the Trust’s position was therefore that it could not investigate TA’s complaint without breaching the data protection principles in its processing of his ex-wife’s (sensitive) personal data. TA’s application for judicial review of the Trust’s refusal failed. So too did his appeal to the Court of Appeal.

Robin Hopkins

Tags: , , , ,
Posted in INFORMATION LAW | Comments Off on JUDICIAL REVIEW AND THE DPA: PATIENT’S CONSENT VITAL

Launch of Information Law Reports

July 19th, 2011 by Rachel Kamm

 The Information Law Reports launched on 14 July 2011, with the following announcement on 11KBW’s website:

Leading chambers 11KBW and legal publisher Justis Publishing are collaborating in a first for both organisations: the creation of a new series of law reports available both in bound volumes from next week and on the established Justis platform from this morning.

Information law is ever more important, seeking to balance the “right to know” and the “right to be left alone” in an age of massive databases and global information flows. We all want to protect our own privacy; but we also want to understand how public authorities make decisions and spend our money. This new series will help professionals grapple with these issues.

Timothy Pitt-Payne QC, a barrister at 11KBW and one of the editors of the new reports, said: “There is a growing case-law, generated by the specialist Information Rights Tribunal and the higher courts. Navigating this material and quickly identifying the most important recent developments is increasingly challenging. The Information Law Reports seek to meet this need, bringing together all the most important cases in a single source. 11KBW are delighted to be working with Justis on this much-needed project.

Masoud Gerami, Managing Director of Justis Publishing, said: “We have had a number of significant milestones in our 25-year history, mostly associated with innovation and developments which have changed legal information dissemination for the better. I am delighted that another milestone has been added to our list of achievements by producing the new series of Information Law Reports in association with 11KBW, the leaders in this increasingly important field. I believe that the complementary nature of the expertise from the partners in this project is the ideal requirement for any successful product or service, and we look forward to a continued relationship with 11KBW.”

He added: “This is also the first time that Justis Publishing has produced a product in hard copy, and we are very excited about the possibilities that the combination of hard copy and online versions will present.

For further information, please call +44 (0)20 7267 8989 or email press@justis.com.

Tags: , , , , , , , , , , ,
Posted in INFORMATION LAW | Comments Off on Launch of Information Law Reports

PERSONAL DATA: CRUCIAL POINTS FROM THE ‘ABORTION STATISTICS’ CASE

June 14th, 2011 by Robin Hopkins

Judgment in Department of Health v IC [2011] EWHC 1430 (Admin) – the ‘abortion statistics’ appeal – was handed down on 20 April this year. Cranston J’s judgment has now been made available. The following salient points from that judgment may be of use to those interested in the concept and extent of ‘personal data’ under s. 40 FOIA and the DPA – especially when looking at the grey area of statistics or other anonymous data which is rooted in or derived from other data which is more overtly personal. The judgment is also essential reading for anyone grappling with the application of the leading House of Lords decision on this subject, Common Services Agency v Scottish Information Commissioner [2008] UKHL47, [2008] 1 WLR 1550 (‘CSA’). (‘Grappling’ is probably apt: even Cranston J conceded that “it would be wrong to pretend that the interpretation of the CSA case is an easy matter”).

Briefly by way of background: the Department refused a request for detailed statistics on the number of late-term abortions carried out on prescribed grounds. It relied on s. 40 FOIA, basing its case on the risk that, given the ‘low cell counts’ in these categories, the relevant patients and/or doctors might be identified by those sufficiently motivated to do so. The Commissioner found that these statistics were not personal data. The Information Tribunal agreed with the Department that they did constitute personal data, but was not satisfied that s. 40 was effective, as there was insufficient risk of identification.

On the Department’s appeal to the High Court, Cranston J agreed with the Commissioner that these statistics are not personal data.

One route to that conclusion was that advocated by the Commissioner, namely to adopt the approach of Baroness Hale in CSA: anonymised statistics remain personal data and therefore subject to the protection of the DPA in the hands of the data controller (who possesses the underlying data from which individuals could be identified) but not in the hands of the general public (who do not). This approach commended itself to the Upper Tribunal in the recent case of All Parliamentary Group on Extraordinary Rendition v Information Commissioner [2011] UKUT 153 AAC (on which, see my post here).

Cranston J, however, rejected that route, as it was the reasoning of Lord Hope rather than Baroness Hale in CSA which had attracted the majority’s support in that case. Lord Hope’s approach can be paraphrased as follows. The definition of personal data under s. 1 DPA provides for two means of identification: either from the data itself (inapplicable in the case of anonymous statistics) or from “from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”. Lord Hope’s approach to situations such as this is to ask: does the ‘other information’ (if provided to the hypothetical member of the public) add anything to the statistics which would enable them to identify the underlying individuals? If the answer is no, the statistics are not personal data. The underlined words are important: if identification can be achieved from the ‘other information’ in isolation (rather than when added to the statistics) then the statistics themselves are truly anonymous, and are not personal data. The statistics in this case failed Lord Hope’s test, and were thus not personal data.

Cranston J’s conclusion was that the Tribunal had been correct to conclude that the data was ‘truly anonymised’ – but it had erred in treating this as personal data which had been truly anonymised. The Department contended that, because it held the underlying identification data, the abortion statistics remained personal data in all circumstances. Cranston J rejected this submission, stating that:

“If that were the case, any publication would amount to the processing of sensitive personal data…  Thus, the statistic that 100,000 women had an abortion in a particular year would constitute personal data about each of those women, provided that the body that publishes this statistic has access to information which would enable it to identify each of them.  That is not a sensible result and would seriously inhibit the ability of healthcare organisations and other bodies to publish medical statistics”.

In going on to dismiss the Department’s other grounds of appeal, Cranston J made a number of other points of general application. For example, in rejecting the criticism that the Tribunal had failed adequately to engage with the Department’s expert evidence, Cranston J said this:

“To begin, the issue before the Tribunal was one of assessment: the likelihood that a living individual could be identified from the statistics.  That was in my judgment only partly a question of statistical expertise, as regards matters such as the sensitivity of the data.  Partly, also, it was a matter of assessing a range of every day factors, such as the likelihood that particular groups, such as campaigners, and the press, will seek out information of identity and the types of other information, already in the public domain, which could inform the search.  These are factors which the Tribunal was in as good a position to evaluate as the statistical experts, a point which one of the Department of Health’s experts conceded.  The analysis also applies to the evidence of senior civil servants.”

As regards the Department’s contentions that conditions from Schedules 2 and 3 of the DPA were not met, their points were “wounding” to the Tribunal’s judgment, but not “fatal”, in light of the evidence at the Tribunal hearing. Finally, Cranston J described the Department’s argument based on Article 8 ECHR as “very much a jury argument”.

Interestingly, on the same day as judgment was given in this case, the High Court (Kenneth Parker J) gave judgment in R (BT & Anor) v The Secretary of State for Business, Innovation and Skills [2011] EWHC 1021 (Admin)  – BT’s unsuccessful application for judicial review of the Digital Economy Act 2010 (on which, see my piece here). One of the grounds of challenge was alleged non-compliance with the Data Protection Directive. In that judgment, IP addresses (anonymous strings of numbers linked to internet subscribers’ accounts) were treated as personal data even in the hands of copyright owners who possessed only those IP addresses. This was by application of the definition of personal data under the Directive: here copyright owners were deemed likely to come into possession of the underlying personal data when taking legal action against the individual internet subscribers who downloaded content in breach of copyright. This conclusion was reached independently of the Lord Hope test. Note, however, that it seems from the judgment that this question – are IP addresses always personal data or not – was not argued in full before Kenneth Parker J. There is talk of a potential appeal, so the application of these principles to IP addresses might be considered in the courts again before too long.

Robin Hopkins

Tags: , , , ,
Posted in INFORMATION LAW | Comments Off on PERSONAL DATA: CRUCIAL POINTS FROM THE ‘ABORTION STATISTICS’ CASE

« Older Entries
Newer Entries »