EXTRAORDINARY RENDITION UPPER TRIBUNAL APPEAL: LATE RELIANCE, PERSONAL DATA & OTHER ISSUES

April 26th, 2011 by Robin Hopkins

The All Party Parliamentary Group on Extraordinary Rendition (APG) requested information from the Ministry of Defence on (i) memoranda of understanding between the UK and the governments of Iraq, Afghanistan and the USA regarding the treatment of prisoners detained in the conflicts in Iraq and Afghanistan, (ii) a copy of the Detentions Practices Review, (iii) a copy of the UK’s policy on capture and joint transfer, and (iv) statistics on detainees held in Iraq and Afghanistan. The MOD refused the requests, relying on a number of exemptions under FOIA. For the most part, the Commissioner agreed. APG’s appeal was expedited to the Upper Tribunal and heard by Blake J, Andrew Bartlett QC and Rosalind Tatam.

Except as regards request (iii), its appeal has succeeded, to a limited but substantial extent. The Upper Tribunal has ordered disclosure or significantly more information than that ordered by the Commissioner.

Its judgment (available here) is complex. Some of the key points of interest are as follows.

Late reliance

The Upper Tribunal was mindful of the decision of a differently constituted Upper Tribunal in the DEFRA/Brikett appeals, where it was held that public authorities may rely on exemptions as of right at any stage in proceedings. In this case, the Upper Tribunal did not need to decide the issue of late reliance, but it did confess to having “some general concerns” about such an approach, which threatens to “turn the time limit provisions of ss. 10 and 17 almost into dead letters”, and “can also create a strong sense of injustice”. The internal review mechanism provides sufficient time for the public authority to make its mind up; if new points are taken thereafter, “then fairness requires that the requester should be allowed to add to the terms of his complaint under s. 50(1)”.

Cost of compliance under s. 12 FOIA

The Upper Tribunal approved principles from Urmenyi v IC and LB Sutton (EA/2006/0093) concerning the Commissioner’s enquiries into the assumptions behind the public authority’s estimate, and from Roberts v IC (EA/2008/0050) about the activities falling within s. 12 and the reasonableness of estimates.

Late reliance on s. 12 is a different matter to late reliance on exemptions under Part II of FOIA. Delay by a public authority robs the requester of the opportunity to split the request into parts separated by 60 days, thereby avoiding s. 12. The cost exemption “only has meaning if the point is taken early on in the process, before substantial costs are incurred” – it looks at whether costs would exceed, not whether they have been exceeded.

In the present case, the MOD’s estimate was not reasonable because it was based upon a search for a broader class of information than that which was actually requested.

Prejudice to international relations under s. 27 FOIA

The Upper Tribunal was not persuaded that this exemption was effective: “since the maintenance of the rule of law and protection of fundamental rights is known to be a core value of the government of the United Kingdom, it is difficult to see how any responsible government with whom we have friendly relations could take offence at open disclosure of the terms of an agreement or similar practical arrangements to ensure that the law is upheld”.

Legal professional privilege under s. 42 FOIA

This exemption was engaged, and the public interest in favour of disclosure of the UK’s Detention Practices Review did not outweigh the public interest in maintaining the exemption.

Bodies dealing with security matters under s. 23 FOIA

The MOD successfully relied on this exemption – including where it was relied on “late”.

Personal data under s. 40 FOIA and the conditions in Schedule 2 DPA

Information on the dates and locations of individual cases of detention and prisoner transfer would not enable identification of those individuals, and was thus not personal data. If it had been personal data, condition 6(1) from Schedule 2 DPA would have been met.

APG in fact submitted that conditions 4, 5(a), 5(d) and 6(1) would be met by disclosure of statistics on detainees. The MOD submitted that a number of these conditions could not be relied on in the context of a request under FOIA because the public at large (to whom disclosure under FOIA is deemed to be made) cannot fulfil these conditions. The Upper Tribunal disagreed: at least some of these conditions can be fulfilled by a member of the public, and that is sufficient.

APG further relied on s. 35(2) DPA, which provides an exemption from the non-disclosure provisions of the DPA where disclosure is “necessary for the purposes of establishing, exercising or defending legal rights”. The Upper Tribunal confirmed that “establishing” for these purposes had the sense of “vindicating” rather than merely determining what the relevant rights are.

Where data is anonymised, it continues to attract the protection of the data protection principles insofar as it is in the hands of the data controller (who holds the key to identification of the otherwise anonymous data subjects). “But outside the hands of the data controller, the information is no longer personal data, because no individual can be identified… the best analysis is that disclosure of fully anonymised information is not a breach of the [DPA] because at the moment of disclosure the information loses its character as personal data”. The publication of truly anonymised or other “plain vanilla” data therefore does not involve “processing of personal data” for DPA purposes.

Related judgments

On the late reliance issue, permission to appeal to the Court of Appeal is being sought in the DEFRA/Birkett case.

On the s. 40 FOIA issue, the Upper Tribunal’s decision needs to be read in conjunction with the High Court’s decision (also handed down very recently) in the Department of Health’s “abortion statistics” appeal.

Tags: , , , , , , ,
Posted in INFORMATION LAW | Comments Off on EXTRAORDINARY RENDITION UPPER TRIBUNAL APPEAL: LATE RELIANCE, PERSONAL DATA & OTHER ISSUES

TWO HIGH COURT ‘PERSONAL DATA’ JUDGMENTS: DIGITAL ECONOMY ACT 2010 AND ABORTION STATISTICS

April 20th, 2011 by Robin Hopkins

The High Court has today handed down two judgments of some significance in the context of personal data.

This morning, Kenneth Parker J gave judgment in the application brought by BT and TalkTalk for judicial review of the Digital Economy Act 2010 (on which, see my earlier discussion here). The Act seeks to combat illegal file-sharing by allowing copyright owners to detect apparently unlawful online activity and report it to the suspect’s internet service provider, who must then warn the suspect against repeat infringements. The claimants contended, among other things, that this regime breached EU data protection law. Their claim failed on this and three other grounds, succeeding only with their fifth ground, which contended that internet service providers should not have to foot 25% of the bill for the regime imposed by the Act. Read the DCMS’ press release here.

This afternoon, Cranston J gave judgment in the “abortion statistics” appeal (on which, see my earlier Panopticon post here). The Information Tribunal had upheld the Commissioner’s decision to order disclosure of “low cell count” statistics as to the number of abortions carried out on specified grounds. Argument had focused on the risk of doctors, and in particular patients being identified. The Department of Health’s appeal to the High Court was dismissed. The judgment represents a notable development in jurisprudence on personal data.

More analysis to follow when these judgments are made available.

Tags: , , , ,
Posted in INFORMATION LAW | Comments Off on TWO HIGH COURT ‘PERSONAL DATA’ JUDGMENTS: DIGITAL ECONOMY ACT 2010 AND ABORTION STATISTICS

THE EVOLVING BATTLE AGAINST ILLEGAL FILE-SHARING: SOME DATA PROTECTION OBSERVATIONS

March 3rd, 2011 by Robin Hopkins

Late last year, Julian Wilson blogged about the Digital Economy Act 2010, and the judicial review challenge to its compliance with EU law – including data protection law. With those proceedings drawing near, I have written a thought piece for Practical Law on some of the related issues, available here.

Tags: ,
Posted in INFORMATION LAW | Comments Off on THE EVOLVING BATTLE AGAINST ILLEGAL FILE-SHARING: SOME DATA PROTECTION OBSERVATIONS

DATA PROTECTION IN THE UK: CURRENT AND FUTURE CONCERNS

February 25th, 2011 by Robin Hopkins

The British Medical Association has expressed concern this week about the Health and Social Care Bill – in particular, about its approach to data protection and the sharing of patients’ medical information. The Bill proposes a new “information standard” for the NHS which, according to the BMA, shows that “the Government has decided to place its desire for access to information over the need to respect patient confidentiality”. The new law would empower the Secretary of State to obtain such information as he considers it necessary to have; it would also widen the access to medical information by the NHS Commissioning Board, NHS Information Centre and local authorities. More detail on the proposed changes can be found in articles in the Daily Telegraph here, and the Guardian here.

The BMA wants to see the Bill amended: “so that it enshrines the need for explicit patient concent to any disclosure of information, unless the information has been properly anonymised or there is an overriding public interest.” The Department for Health, on the other hand, is confident that the proposals would preserve confidentiality and comply with the data protection law. Presumably, the Department means data protection law as implemented in the UK. At the 11KBW Information Law Seminar last week, I discussed the tension between the narrow approach to data protection that has prevailed under UK common law since Durant, and the considerably wider approach taken at a European level (and favoured domestically by the Information Commissioner).

On this subject, there is a very interesting report on Amberhawk this week, available here. This sets out in some detail the European Commission’s concerns about the UK’s apparently “bare minimum” approach to implementing its data protection obligations. It’s not yet clear what the Commission will do about this, but it appears to be only a matter of time before negotiation or confrontation on this issue comes to a head.

Tags:
Posted in INFORMATION LAW | Comments Off on DATA PROTECTION IN THE UK: CURRENT AND FUTURE CONCERNS

CONTRACTING OUT OF FOIA AND THE DPA?

February 22nd, 2011 by Robin Hopkins

Roy Greenslade has posted a very interesting piece this afternoon on his blog on the Guardian website about a purported instance of “contracting out” of FOIA and DPA rights. According to his piece, Cheshire West and Chester Council has signed a compromise agreement with a former employee in which he or she contracts not to make requests to the Council under FOIA or the DPA (the EIR is not mentioned). The Council is confident that these provisions are effective. The ICO takes the opposite view – I suspect it will not be alone in doing so. Click here to read the piece.

Tags: ,
Posted in INFORMATION LAW | Comments Off on CONTRACTING OUT OF FOIA AND THE DPA?

BIOMETRIC INFORMATION IN SCHOOLS

February 18th, 2011 by Timothy Pitt-Payne QC

In my post yesterday about the Protection of Freedoms Bill I referred to the provisions about biometric information in schools.  I asked why this subject had been singled out for attention in the Bill, and whether there was any evidence that the current situation  was unsatisfactory.

Action on Rights for Children (ARCH) have just posted on their website a very interesting briefing on the subject:  see here.  This is clearly an issue that has been of concern to ARCH for some years, and their paper gives an overview of developments since 2001.  ARCH welcome the proposal to introduce consent into the process of taking children’s biometric data, but suggest that ensuring any consent is valid and informed will present a considerable challenge. 

 

Tags: ,
Posted in Uncategorized | Comments Off on BIOMETRIC INFORMATION IN SCHOOLS

PERSONAL DATA OF WHISTLEBLOWING CIVIL SERVANTS: REDACTION AND FAIRNESS

January 24th, 2011 by Robin Hopkins

Those considering the disclosure of personal data in a civil service context will wish to pay close attention to last week’s decision in Dun v IC and National Audit Office (EA/2010/0060). This is the latest Tribunal exercise in forensic scrutiny of fairness under the “personal information” exemption at section 40 (applied in tandem with the first data protection principle under the DPA).

The disputed information concerned the NAO’s enquiry into the Foreign & Commonwealth Office’s handling of employee grievances of a whistleblowing variety, i.e. those in which the employee had raised concerns as to “the proper conduct of public interest, fraud, value for money and corruption in relation to the provision of centrally-funded public services”. The request for information was triggered by the FCO’s inadvertent publication on its intranet of a “track changes” version of the draft report sent to it by the NAO: this tended to suggest that the FCO had sought not only to correct points of fact in that draft report, but also to influence its conclusions.

Unfairness of grievance and investigation information was pleaded based largely on the expectations of the complainants that their personal data would not be disclosed, and on the distress of their potentially being perceived as “trouble makers”.

A number of categories of arguably personal data were examined: junior civil servants’ names (outcome: don’t disclose), junior civil servants’ roles or job titles (outcome: disclose), contact details (outcome: don’t disclose, except for that part of an email address containing the name of a person whose name was otherwise to be disclosed), details of complaints and criticisms of employees (outcome: disclose in sufficiently redacted form).

The issue of redaction turned on whether disclosure in redacted form would preserve anonymity or achieve fairness – the NAO and IC had said no, but the Tribunal disagreed. It found that disclosure of whistleblowing case information in redacted form would be fair where (i) only those involved would be able to identify the persons being referred to, and (ii) those involved would not learn anything from the disclosed material which they did not know already.

This case is another instance of the established position that disclosure of the names of senior civil servants (here Grade 5 or above) will generally be fair, whereas those of their more junior colleagues would not. A note of caution here, however: the Tribunal was clear that no blanket policy should apply, and that fairness depends on the particular responsibilities and information with which the case is concerned.

One interesting aside: what of a civil servant who was junior at the time the information was created, but has since been promoted? Generally, subsequent events should not make a difference, but not necessarily: the Tribunal observed that it could “envisage a scenario where it is fair to disclose an earlier document in order to refute protestations of ignorance from the same individual who later becomes more senior and accountable”.

Tags: ,
Posted in INFORMATION LAW | Comments Off on PERSONAL DATA OF WHISTLEBLOWING CIVIL SERVANTS: REDACTION AND FAIRNESS

SCOTTISH GOVERNMENT ISSUES PRIVACY GUIDANCE

January 5th, 2011 by Robin Hopkins

The Scottish Government has published its guidance document on Identity Management and Privacy Principles. The guidance is aimed at both public sector policy makers and with those involved in devising or operating systems for proving or recording identity. Key principles include:

  • For services which are used frequently and for which identification is needed, users should be required to register only once. Thereafter, unless there is a statutory requirement to prove identity, a person should generally be able to access the service by authenticating themselves using a token (such as a bus pass or library card) that proves their entitlement without revealing personal information. In other circumstances, a user name and a password may be required.
  • A Privacy Impact Assessment (PIA) or proportionate equivalent should be conducted and published prior to the implementation of a project which involves the collection of personal information.
  • Where a public body has a contract with the private sector or the third sector, the contractor must be contractually bound to adhere to best practice as outlined in the guidance.
  • The creation of centralised databases of personal information is to be avoided.
  • If a public service organisation needs to link personal information from different systems and databases (internally or between organisations), it should avoid sharing persistent identifiers. Instead, other mechanisms – such as matching – should be considered.

Tags: , , ,
Posted in INFORMATION LAW | Comments Off on SCOTTISH GOVERNMENT ISSUES PRIVACY GUIDANCE

WISE MEN, ANGELS AND SHEPHERDS

December 8th, 2010 by Rachel Kamm

The Information Commissioner has produced a Good Practice Note on the taking of photographs in schools. The ICO press notice gives a seasonal example: “Having a child perform at a school play or a festive concert is a very proud moment for parents and is understandably a memory that many want to capture on camera. It is disappointing to hear that the myth that such photos are forbidden by the Data Protection Act still prevails in some schools. A common sense approach is needed – clearly, photographs simply taken for a family album are exempt from data protection laws. Armed with our guidance, parents should feel free to snap away this Christmas and stand ready to challenge any schools or councils that say ‘Bah, Humbug’ to a bit of festive fun.” The guidance states that the Data Protection Act is unlikely to apply in most situations where photographs are taken by parents in schools, although it does apply when photographs of children are taken for official use by a school or college (such as for issuing identification passes). The ICO advises that in the other small number of instances where the Data Protection Act 1998 does apply, it will usually be sufficient for the photographer to obtain permission from the parent or individual to take a photograph. The guidance is available here: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/taking_photos.pdf.

 This post is also available on 11KBW’s education law blog: http://www.education11kbw.com/.

Tags:
Posted in INFORMATION LAW | Comments Off on WISE MEN, ANGELS AND SHEPHERDS

BACKDOOR ATTEMPT TO OBTAIN IRAQ WAR CABINET MINUTES FAILS

December 2nd, 2010 by Robin Hopkins

The minutes of the Cabinet meetings at which it was decided to go to war in Iraq have resurfaced for consideration by the Tribunal. First time round, the Tribunal agreed with the Commissioner that the minutes should be released, but the final word went to Jack Straw, by means of a ministerial veto – which was not subject to a judicial review challenge – issued under section 53 FOIA.

The requester in that case subsequently sought a backdoor route to the minutes, by requesting them under FOIA from the ICO itself. He also sought “background papers which show the processes of thought behind the Information Commissioner’s conclusion that the Cabinet minutes in question should be disclosed”. The ICO did not hold the minutes themselves, but it did hold some handwritten notes made by the then Commissioner, Richard Thomas, and by an ICO caseworker when visiting the Cabinet Office to inspect the minutes. It also held a confidential annex to the Decision Notice, which fell within the veto. All of these he refused to disclose.

The usual FOIA complaints and appeals process ensued, with the Commissioner issuing a decision notice in respect of his own refusal, and then defending that notice before the Tribunal in Lamb v IC (EA/2009/0108).

The basis of the refusal was section 44 FOIA, which provides that information is exempt if its disclosure is “prohibited by or under any enactment”. The Commissioner relied for the latter on section 59 of the DPA, which says that the Commissioner may not disclose information he obtained under the auspices of the Act “unless the disclosure is made with lawful authority”, which arises where “having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”.

As the Tribunal accepted, this is a much higher threshold than the usual public interest test under FOIA: under section 59, there is effectively a presumption against disclosure.

The Tribunal was satisfied that this information was “obtained from” the Cabinet Office, notwithstanding the Appellant’s challenge on that point.

It also agreed with the Commissioner’s application of section 59. Much of the Appellant’s argument turned on the importance of the material he sought. This, said the Tribunal, overlooked the point that the Commissioner had already decided in the Appellant’s favour concerning the Cabinet minutes which he sought. The Tribunal also commented that:

“It is no part of the freedom of information regime to provide a mechanism by which a party who prosecuted a successful complaint to the Information Commissioner in the past may have his or her winning margin reassessed in the light of events subsequent to the date of the original victory”.

The Tribunal did not comment on whether the mere existence of the veto gave rise to the engagement or effectiveness of section 59. Nor did it speculate as to the circumstances in which reliance on section 59 could be defeated – although the wording of that section clearly envisaged this prospect.

Tags: , , , ,
Posted in INFORMATION LAW, Uncategorized | Comments Off on BACKDOOR ATTEMPT TO OBTAIN IRAQ WAR CABINET MINUTES FAILS

« Older Entries
Newer Entries »