data protection « Panopticon Blog

Demystifying Data Protection

November 27th, 2009 by Timothy Pitt-Payne QC

The Information Commissioner’s Office has just launched a Guide to Data Protection, available on the ICO website. At the heart of the guidance is a detailed commentary on each of the Data Protection Principles, and on the conditions for processing set out in Schedule 2 and 3 of the Act.

The Data Protection Act 1998 is, notoriously, not user-friendly. One of the problems is that so much of its central content is tucked away in the Schedules: for instance, you have to get as far as Schedule 7, paragraph 10 before you find out that there is an exemption to the right of subject access where information is protected by legal professional privilege. So assistance in navigating the legislation is very welcome.

On a first glance, the ICO Guide looks as if it will be of real help – clearly written, comprehensive, but not unduly lengthy. It will also be useful to those wanting to know how the ICO itself might interpret and enforce the Act.

Tags: data protection, ICO powers
Posted in Uncategorized | Comments Off on Demystifying Data Protection

This I can do at home

November 23rd, 2009 by Timothy Pitt-Payne QC

The last Queen’s speech before the election includes another proposal for databases about children; this time, in relation to children who are being home educated.

The background is that in January 2009 the Department for Children, Schools and Families (DCSF) commissioned Graham Badman to carry out a review of the current system for supporting and monitoring home education. The report (available here) was published in June 2009. Its first recommendation was that the DCSF should establish a national registration scheme, locally administered, for all children of statutory school age who are, or become, home educated.

On 11th June the Government launched a consultation about registration and monitoring proposals for home education. Unfortunately I cannot link to the consultation document itself, as it is currently unavailable on the DCSF website. The key proposals in the consultation document were these.

2.1 Register of home educated children

The review recommends that DCSF establishes a national registration scheme, locally administered, for all children of statutory school age who are, or become, electively home educated. The scheme described in the review is one where education and safeguarding issues are both considered as part of the registration process, with an initial statement of educational intent forming the basis for subsequent educational monitoring arrangements. The review response acknowledges that ultimately the scheme would need to be underpinned by guidance and training for local authority staff in order to work effectively. We accept that it will take time to put the full scheme in place particularly where more work is needed to provide more comprehensive guidance on the practical interpretation of ‘efficient’ and ‘suitable’.

2.2 Registration would be granted automatically unless there were safeguarding concerns (see next section): if at any time a LA became dissatisfied with the quality of home education provided to a child, it would – as now – serve a school attendance order.

2.3 We propose to legislate now for registration and monitoring arrangements that will focus on safeguarding but should also improve the quality of education. They will have the following features:
• Every home educated child of compulsory school age must be registered with the local authority in which the child is resident;
• Regulations will specify the information that parents must provide which is likely to be child’s name, date of birth, address, the same information for adults with parental responsibility; a statement of approach to education, and the location where education is conducted if not the home;
• Scope to extend the scheme to 18 in future;
• Regulations will specify how registration should take place;
• Any changes to registration details should be notified immediately;
• Registration must be renewed annually;
• It will be a criminal offence to fail to register or to provide inadequate or false information;
• Pupils should stay on the school roll for 20 days after a notification to home educate;
• The school must provide the local authority with a record of achievement to date and predicted future attainment;
• DCSF will take powers to issue statutory guidance relating to registration and monitoring.

2.4 Safeguarding

The review recommends that local authorities should have a discretion to refuse registration where there are safeguarding concerns. In addition, if safeguarding concerns are identified after home education has begun, the LA would have powers to revoke registration. Each case would need to be considered on its merits, balancing the rights of parents to home educate, and the rights of children to receive a suitable education in a safe environment.

2.5 Monitoring arrangements

Local authorities tell us that they need greater powers to ensure that home educated children are safe, well, and receiving a suitable education. The current arrangements allow parents to submit evidence that a ‘suitable education’ is being provided, which could be mainly written evidence. Local authorities have no powers to interview home educated children to establish that sample material provided is representative of their work, nor to establish that they are safe and well.

2.6 We believe that local authorities should interview children within 4 weeks of home education starting, after 6 months has elapsed, and thereafter at least annually to assess the quality of education provided and ensure that children are safe and well. The local authority should visit the premises where education is conducted, and question the child about the education provided, although at least 2 weeks notice should be given before the visit is conducted. The local authority should have the right to carry out the interview without a parent being present, if this is judged appropriate, or alternatively if the child is vulnerable or has particular communication needs, in the company of a trusted person who is not the home educator or parent/carer.

The consultation closed on 19th October, and as yet there has been no Government response to it. The Queen’s Speech nevertheless includes a proposal for a Children, Schools and Families Bill, one element of which is to be a new home educators’ registration system. For the full text of the proposed Bill, see here. The provisions about home education are in Schedule 1 to the Bill, and consist of proposed amendments to the Education Act 1996. New section 19A(1) of the 1996 Act will require each local authority to maintain a register of home-educated children. Regulations will make provision for how parents can apply to have their children included in the register. The local authority must refuse registration if they consider that it would be harmful to child’s welfare for the child to become, or remain, a home-educated child. It seems that if registration is refused, and the child is not sent to school, then the likely consequence will be a school attendance order: see the proposed amendments to section 437 of the 1996 Act. Under new section 19H of the 1996 Act, regulations can be made requiring other local authorities, and schools, to share information with a local authority for the purposes of that authority’s home education functions.

There are four points to make about this. One is that the proposed registers are, in substance, a mechanism for parents to seek advance permission from their local authority before home schooling their children. Failure to register will not in itself be a criminal offence, but may lead to a school attendance order; and failure to comply with that order may be a criminal offence. Secondly, exactly what information is to be included in each register is unclear, and will be set out in regulations; but it may well be that the registers will include information about each child’s prospective home education, as well as basic personal details such as name and address. Thirdly, it is unclear as yet who will have access to these registers, and for what purpose. And fourthly, there are to be specific information-sharing provisions in connection with home education.

Tags: data protection, database, education, international information sharing
Posted in Uncategorized | Comments Off on This I can do at home

Banned Aid

November 21st, 2009 by Timothy Pitt-Payne QC

In March this year the Information Commissioner took enforcement action against the Consulting Association, which had been operating a secret blacklist of employees in the construction industry, including details of trade union activity. We posted about this story here, earlier this year.

Today, the Guardian has extensive coverage of what has happened since.

The Department for Business, Enterprise and Regulatory Reform has now consulted on draft regulations under section 3 of the Employment Relations Act 1999. The consultation ended on 18th August 2009. The proposed regulations are intended to outlaw the compilation, dissemination and use of blacklists of trade unionists. They would make it unlawful to refuse employment, or to dismiss employees or subject them to a detriment, for reasons related to a prohibited blacklist. Individuals who suffer loss through blacklisting would be able to bring claims either in the Employment Tribunal or in the civil courts, depending on the nature of their complaint.

The trade union UCATT commissioned a report from the Institute of Employment Rights about the proposed regulations. The report, by Professor Keith Ewing, was published on 15th September 2009: it is entitled “Ruined Lives”, and deals specifically with blacklisting in the construction industry. It includes sample material from Consulting Association files. The report gives a fascinating history of the practice of blacklisting, going back to the late 19th century. It suggests a number of changes to the draft Regulations, including: that keeping or using a blacklist, or supplying information to it, should be a criminal offence; and that there should be a right to compensation for the fact of being included on a blacklist, even if the inclusion does not lead to any loss.

A further point to note about the draft Regulations is that they deal specifically with the blacklisting of trade unionists (as does section 3 of the 1999 Act). So they would not assist individuals who had been blacklisted for other reasons; e.g. because of their political beliefs and affiliations, or because they have a history of raising concerns about health and safety issues.

A number of individuals have brought employment tribunal claims arising out of alleged blacklisting. The claims have been consolidated and there will be a case management discussion in Manchester ET on 24th November 2009. This blog gives further information.

Meanwhile the Information Commissioner’s Office (ICO) has taken control of the Consulting Association database. Individuals who think that they may have been blacklisted can contact the ICO; for more information, see this page of the ICO’s website.

Tags: data protection, employment vetting, ICO powers, surveillance
Posted in Uncategorized | Comments Off on Banned Aid

Home Office publishes response to its consultation on communications data

November 16th, 2009 by Robin Hopkins

The Home Office has published a summary of responses to its April 2009 consultation paper on ‘communications data’, i.e. information about a communication that does not include the content of the communication itself. At present, such data is owned by communications service providers and accessed by certain public authorities under disparate statutory powers for the purposes of combating, for example, fraud, terrorism and other serious crime. The government is considering an overhaul so as to bring all communication types (such as web chat) and all relevant service providers (some of whose contractual positions place them beyond the current statutory arrangements) within the system.

The attendant tension between individual liberty and public protection is reflected in the 221 responses to this consultation.

A substantial minority of respondents objected in principle to any ‘surveillance’ of communications. A majority (albeit a fairly narrow one) agreed that communications data served an important public purpose and that the government should therefore act to maintain the capability of public authorities to make use of this type of information.

As to what form this action should take, only one element of the government’s proposed approach was widely welcomed, namely its rejection of a central database for holding all data of this type. Reservations were otherwise expressed about technological feasibility, data security and the proportionality of public authorities’ use of communications data.

Nonetheless, such reservations were not deemed forceful or widespread enough to deter the government from its proposed course. A number of respondents’ suggestions have been rejected, including the specifying of categories of data which should not be retained, and the requirement for a magistrate’s authorisation before communications data can be accessed.

The government is also satisfied that the DPA 1998 and RIPA 2000 provide sufficient safeguards against abuse of such data. A legislative review is, however, proposed, to see if a single means of authorised access (through RIPA 2000) would be practicable. Fresh or consolidating legislation appears likely.

Tags: consultation, data protection, data security, data sharing, database, public authorities, surveillance
Posted in INFORMATION LAW | Comments Off on Home Office publishes response to its consultation on communications data

Civil penalty notices: consultation

November 12th, 2009 by Ben Hooper

When the new monetary penalties regime under sections 55A-E of the DPA comes fully into force, the Information Commissioner will have power to impose a civil penalty on a data controller for a serious contravention of any of the data protection principles if – in essence – the contravention is (1) deliberate or reckless and (2) of a kind likely to cause substantial damage or distress.

The Ministry of Justice is currently consulting on what the maximum penalty under section 55A should be. £500,000 is proposed. Whilst this is clearly not an insubstantial sum, it needs to be compared with the fact that many other regulators have power to impose a penalty of up to 10% of an organisation’s turnover. If the data controller at issue has a turnover that is significantly above £5m, and – for example – a serious contravention has caused damage or distress to a very large number of people, the maximum penalty of £500,000 may begin to look a little on the small side. Indeed, the Commissioner may not even be able to go that far: the ICO’s draft guidance on the monetary penalty powers indicates at paragraph 7.4 that swift payment of the penalty will lead to a 20% reduction. So a data controller that decides not to contest the penalty may end up only paying a maximum of £400,000.

One final point. The penalties are to be paid into the consolidated fund (section 55A(8)). Thus, where the data controller is a central government body, the imposition of any size of penalty will have a slightly unreal quality to it, as the sum involved will simply return to the financial pot from which the body in question drew its funding in the first place.

Tags: data protection, ICO powers
Posted in Uncategorized | Comments Off on Civil penalty notices: consultation

WHEN WILL THEY EVER LEARN?

November 10th, 2009 by Timothy Pitt-Payne QC

We call them “data protection duck outs”. The New Zealanders call them “BOTPAs” (standing for “Because of the Privacy Act”). Organisations do something silly, and then blame it on data protection legislation.

There’s a nice recent example. A parcel was addressed to a 9 day old baby. Initially the Royal Mail wouldn’t deliver it to her grandfather, apparently because the Data Protection Act required the baby to sign for it personally. Not surprisingly, the ICO has confirmed that the Act does not require anything of the kind.

Tags: data protection, data protection duck out, ICO powers
Posted in Uncategorized | Comments Off on WHEN WILL THEY EVER LEARN?

Abortion statistics: identification of patients and doctors held to be unlikely

November 2nd, 2009 by Robin Hopkins

In 2003, the Department of Health significantly reduced the detail of publicly available statistics on abortion operations: for example, no information was any longer to be released about post-24-week abortions carried out on the grounds of foetal medical defects. The Department relied principally on s. 40 FOIA in refusing the Prolife Alliance’s request for more detailed data. The Information Tribunal has, however, ordered the statistics to be disclosed: see Department of Health v IC (Additional Party: the Pro Life Alliance) (EA/2008/0074). The Tribunal agreed with the Department that the requested abortion statistics, although entirely anonymised, did constitute personal data because they were not anonymous in the hands of the data controller. The Department’s principal concern, namely the inferential identification of doctors or patients, was not, however considered ‘likely’ in the circumstances. This factual finding meant that, in the Tribunal’s view, the release of the requested personal data was fair and lawful and that (under paragraph 6(1) of Schedule 2 to the DPA) the potential prejudice to patients and doctors was outweighed by legitimate third party interests in (inter alia) monitoring compliance with abortion law, identifying abortion trends, informing public debate and encouraging accountability of medical practitioners. The decision is of note for its detailed analysis of the ways in which individuals might be identified from statistical data, and for the Tribunal’s reliance on the Corporate Officer of the House of Commons litigation (in its various stages) for guidance on the balancing test under paragraph 6(1) of Schedule 2 to the DPA.

Tags: data protection, FOIA, section 40 FOIA
Posted in INFORMATION LAW | Comments Off on Abortion statistics: identification of patients and doctors held to be unlikely

Media Law and Practice – new book from OUP

October 30th, 2009 by Timothy Pitt-Payne QC

Hot off the press is a new book from OUP on “Media Law and Practice”, edited by David Goldberg, Gavin Sutter, and Ian Walden.

This is a multi-author book, written by a team of practitioners and academics. It covers a wide range of media topics, including ownership, regulation, intellectual property, defamation, and commercial communications.

I contributed a chapter on Information Law: this discusses data protection, freedom of information, and human rights issues, including articles 8 and 10 of the Convention. One of the book’s features is that it deals with new forms of communication (including blogging), as well as traditional print or broadcast media. So I had to address questions such as, how would the “special purposes” defined in the DPA (ie artistic, journalistic and literary purposes) apply to web-based publications?

The impetus for the book comes from the Institute of Computer and Communications Law, based in the Centre for Commercial Law Studies, Queen Mary, University of London. All three editors are members of the Institute. It’s a major centre for research and teaching in areas related to information law, including intellectual property, telecoms regulation, computer law, and media law.

The book is available online from OUP’s website.

Tags: article 10, article 8, data protection, FOIA, media law, publications
Posted in Uncategorized | Comments Off on Media Law and Practice – new book from OUP

Court of Appeal judgment on Police Database

October 21st, 2009 by James Goudie QC

On 19 October 2009, the Court of Appeal, in Chief Constable of Humberside Police v Information Commissioner (2009) EWCA Civ 1079, allowed police appeals against a decision of the IC, upheld by the IT, that data on old minor convictions (of which there are probably about 1 million) must be deleted from the Police National Computer (“the PNC”). The Court of Appeal held that retaining information for police operational needs in the fight against crime and for other purposes was justified and did not infringe the data protection principles (“the DPP”) under the DPA 1998, especially principles 3 (personal data shall not be excessive in relation to the purpose for which they are procured) and 5 (personal data shall not be kept for longer than is necessary).

Waller LJ, applying the approach from the Bichard Inquiry, following the Soham murders, said, at paragraph 43: “If the police say rationally and reasonably that convictions, however old or minor, have a value in the work they do that should, in effect, be the end of the matter.”

Carnwath LJ referred to the importance in a case of this kind having the involvement of a Judge with direct and hands-on experience of the criminal system. Hughes LJ, with direct hands-on experience of both the criminal and family systems, summarised the position as being that it is for the data controller to determine the purpose(s) for which the data is processed; it is not open to the IC to impose his own determination of those purposes; the imposition of a concept of ‘core police purposes’ was misconceived; and in any event the proper purposes of the police in managing the PNC plainly include the retention of information for provision to others who have a legitimate need for it.

Hughes LJ emphasized practical considerations and in particular the value, in the public interest, of the existence of a single comprehensive record of convictions and of its being held by police forces acting collectively. Hughes LJ said, at paragraph 107: “Like both Waller and Carnwath LJJ, I take the clear view that if senior police officers with considerable operational experience are satisfied that even very old and comparatively minor convictions may sometimes be of assistance in police investigations, then unless that view is perversely or unreasonably held, it is not open to the Commissioner to substitute his own view of their potential use. But I should also add that the opinion expressed by the police witnesses in this case entirely accords with what is seen to be true from time to time in major criminal investigations. As was in evidence in these proceedings, Dame Janet Smith also reached a similar conclusion when considering the investigation into Dr Shipman. Such old convictions, if never subsequently repeated, may very well not be the kind of material which it is proper to put before a jury, … but that does not begin to mean that they have not been of use in the investigation. Quite apart from propensity (or lack of it) to offend in a particular manner, they are likely to be useful for other reasons, of which location and associates are but two simple examples. Moreover, the critical consideration is not the use of the conviction standing by itself, but its potential value in conjunction with other information pieced together by a skilled detective.”

Hughes LJ further observed that many others depend heavily, and reasonably, on the maintenance by the police of these records. Those others include (but are not limited to) the criminal courts, the family courts and those concerned with the protection of children and the vulnerable. He said that the criminal courts have a plain need for reliable and comprehensive information. The Rehabilitation of Offenders Act 1974 is expressly made not to apply to criminal proceedings. There are at least two situations in which the need for such records arises daily. The first is in sentencing. The second relates to the credit of witnesses, especially those relied upon by the Crown. The Secretary of State for Justice expressed the view in this case that “providing anything less than full information to the courts would potentially undermine the criminal justice process”. Hughes LJ agreed.

Hughes LJ also stated that the importance of multi-agency working to child welfare in general, and to child-centred family proceedings in particular, has been recognised for many years, has been the repeated subject of judicial and ministerial exhortation alike, and is difficult to overstate. It is, nowadays, the daily norm of cases in the family courts. The Rehabilitation of Offenders Act 1974 is expressly made not to apply to these proceedings either. It may well be that at times such co-operation throws up difficult questions about the extent of disclosure which a police force ought to make to social services or other child welfare professionals, but that is not a reason for failing to have available a comprehensive record in order to make a fully-informed decision about it.

As regards the vetting of potential employees, Hughes J said that, given the statutory framework, it is plain that it is part of the necessary public purposes of the PNC that it maintain a complete record of convictions etc to enable the statutory scheme to work.

Tags: data protection, police database
Posted in Uncategorized | Comments Off on Court of Appeal judgment on Police Database

Paying for the ICO

October 2nd, 2009 by Timothy Pitt-Payne QC

Organisations that process personal data must notify the Information Commissioner’s Office, and pay an annual fee. Up to now the fee has been £35, for all data controllers. With effect from 1st October 2009, some large data controllers will instead pay a fee of £500.

The changes are made by the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (SI 2009 No 1677). These divide data controllers into two groups: tier 1 organisations, which pay £35, and tier 2 organisations, which pay £500. All data controllers not in tier 2 are in tier 1.

A data controller will be in tier 2 if it satisfies the following three conditions: (i) it is not a charity or a small occupational pension scheme; (ii) it has been in existence for more than a month; and (iii) it has a turnover of £25.9 million or more for the data controller’s financial year and 250 or more members of staff, or it is a public authority with 250 or more members of staff. There are detailed provisions as to how turnover and staff numbers should be calculated for these purposes.

An explanatory memorandum issued by the Ministry of Justice gives the policy background to the change. Essentially it argues that large organisations cost more for the ICO to regulate, and so should pay a higher fee. The memorandum suggests that about 4% of data controllers will pay the higher fee, and that the extra annual income to the ICO will be about £4.7 million.

A more interesting question perhaps – and one that the new Regulations do not affect at all – is who is obliged to notify the Information Commissioner. Anyone who uses a computer to process personal data is a data controller and obliged to notify, unless they are subject to an exemption. Under section 36 of the Data Protection Act 1998, personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the duty to notify (and indeed from most of the rest of the Act as well). This is sometimes referred to as the “domestic use”, or “Christmas card list” exemption: if you keep your family’s Christmas card list on a computer, you do not have to notify the ICO that you are processing personal data, and you can spend the £35 on something else instead.

But what if you put personal data on to the internet? The Lindqvist case in the European Court of Justice suggests that the domestic exemption would not apply here, because information posted on the internet is available to all the world. Since Lindqvist was decided, there has been an explosion of blogging, and social networking, all internet-based. How much of this activity would come within the domestic use exemption remains unclear.

Tags: data protection, ICO powers, internet, social networking
Posted in Uncategorized | Comments Off on Paying for the ICO

Blog maintained by:

Search

Subscribe

Law Reports

Links

Disclaimer