We have posted a number of times on the contentious issue of late reliance, i.e. whether a public authority is entitled to rely as of right on an exemption or exception (under FOIA or the EIR) raised for the first time before the Tribunal. Last month, the Upper Tribunal answered this question with a firm “yes” in its decision on appeals by the Home Office and Defra, available here. That may not be the last word on this issue: Simon Birkett, founder of Clean Air London and Second Respondent to Defra’s appeal, has applied for permission to appeal that decision to the Court of Appeal. The press releases and grounds of appeal are available here.
LATE RELIANCE AND OTHER DEVELOPMENTS TO LOOK OUT FOR
February 22nd, 2011 by Robin HopkinsMy paper from last week’s 11KBW Information Law Seminar contains a number of updates on important developments – both recent and imminent – at Upper and First-Tier Tribunal levels.
One of the most important concerns the contentious question of late reliance: in particular, is a public authority entitled to rely as of right on an exemption it raises for the first time before the Commissioner or even the Tribunal? The Upper Tribunal has recently answered with a firm “yes”: the decision in the joint appeals from the Tribunal decisions in Home Office v IC, and DEFRA v IC and Birkett (GIA/1694/2010 and GIA/2098/2010) can be downloaded here; see also commentary by FOI Man on his blog here. As I mention in my paper, however, the Upper Tribunal may have more to say on this matter very shortly (in an appeal involving the All Parliamentary Group on Extraordinary Rendition) – so watch this space for updates.
Another imminent Upper Tribunal decision to look out for is the case of Gaskell. concerns an appeal against a Decision Notice involving the Valuation Office Agency. In that Decision Notice, the Commissioner found that – notwithstanding the public authority’s unlawful withholding of the requested information – he would not be ordering disclosure because of events (in this case, the coming into force of new legislation) arising after the time at which the request was handled. The appeal invites the Upper Tribunal to find that the Commissioner has no discretion to make such a decision based on events subsequent to the relevant time for his assessment.
The High Court has recently confirmed that the “costs of compliance” for FOIA purposes does not include the costs of redaction: see Chief Constable of South Yorkshire v IC ([2011] EWHC 44 (Admin)).
Two notable EIR decisions are expected shortly, one at first instance in the GM Freeze case (which is expected to provide much-needed guidance on how widely the concept of “emissions” should be construed), the other by the Upper Tribunal in the Kirklees case (which is expected to clarify the question of imposing charges following a request to inspect information).
The latter case also saw this argument raised before the Upper Tribunal: a “purposive request” (i.e. one that takes the form “please provide me with the information I would need to answer the following questions”) is not a valid request for EIR and FOIA purposes.
Finally, the First-Tier Tribunal has recently heard an appeal by Channel 4, in which the appellant argued that contracts should be treated as whole, rather than severable documents, meaning that if part of the contract can be withheld, then the whole contract can also be withheld. The implications of this position would be substantial, so again – watch this space.
PARTIES MAY APPEAL AGAINST DECISION NOTICES IN THEIR FAVOUR
December 2nd, 2010 by Robin HopkinsShepard v IC and West Sussex County Council (GIA/1681/2010) involved the Commissioner upholding the appellant’s complaint against the local authority, and issuing a decision notice in his favour. That notice required the authority to search for specified information and to provide it to the Claimant if found. The authority informed the appellant that its search had been fruitless. Apparently therefore, it had complied with the decision notice, but the appellant received no information.
At first instance, his appeal failed, partly on the grounds of the well-established principle that a successful party should not be permitted to bring an appeal. The Upper Tribunal disagreed, and granted permission to appeal, observing that the aforementioned principle “surely relates to judicial decisions by courts and tribunals; it does not necessarily apply to decisions by administrative first-instance decision-makers or independent office-holders”.
Nor was the wording of FOIA itself a barrier to such appeals: section 57(1) expressly confers a right of appeal on both parties, and not simply “the losing party”. Furthermore, both the steps prescribed in a decision notice and the timing of such steps are matters of discretion for the Commissioner. Unlike the enforcement of a decision notice, such questions of discretion are within the Tribunal’s jurisdiction.
It is not clear, however, whether a challenge to a first-instance Tribunal’s refusal to entertain an appeal lies by way of an appeal to the Upper Tribunal or by way of judicial review. A test case (combined references of CH/1758/2009 and JR/2204/2009) will determine this question shortly. In the present case, the Upper Tribunal therefore granted permission to apply for judicial review as a precaution.
COMMISSIONER HANDS DOWN FIRST MONETARY PENALTIES FOR DPA BREACHES
November 24th, 2010 by Robin HopkinsUp to now, the Commissioner has not exercised his powers under sections 55A-E of the Data Protection Act 1998 to impose monetary penalties on data controllers for breaches of the Act. Today, he imposed his first two financial penalties.
Hertfordshire County Council has been handed a penalty of £100,000 for twice sending faxes containing sensitive personal data to members of the public in error. The first fax, which is the subject of an injunction preventing further details being disclosed, was intended for a barrister but sent to a member of the public. The second fax, which concerned child protection matters, was intended for a County Court. The errors both occurred in June 2010, and were both reported to the Commissioner by the Council itself.
Secondly, the employment services company A4e has been fined £60,000 after an unencrypted laptop containing personal details of 24,000 users of community law centres was stolen from an employee’s home. This too was reported to the Commissioner by A4e itself.
ICO SIGNS UNDERTAKING WITH GOOGLE AND DEFENDS ITS STANCE
November 22nd, 2010 by Robin HopkinsI reported in a recent post that the Information Commissioner had instructed Google to sign an undertaking aimed at any repeat of the breaches of the Data Protection Act 1998 committed during Google’s information-gathering for its Street View feature. That undetaking has now been signed, and a copy can be viewed here. It requires Google engineers to maintain a “privacy design document” for each new Google project prior to launch. It provides for further training and data protection awareness for Google engineers and other employees. The undertaking also assures the deletion of all personal data which had been gathered unlawfully, and provides for the Commissioner to audit Google’s revamped data protection procedures nine months from now. Interestingly, the undertaking applies to Google’s global activities and not just its UK ones.
The ICO has come under fire for being soft on Google. The Commissioner, Christopher Graham, has defended his stance, including in an interview with the Daily Telegraph which can be found here. In that interview, the Commissioner remarks that “a lot of people out there want somebody – probably not me – to be the privacy tsar. But that’s not what the Information Commissioner is”. Recent indications suggest, however, that the ICO could potentially take on a “privacy tsar” role – see the recommendations from its recent surveillance report, summarised here.
ICO’S SURVEILLANCE REPORT 2010: ‘SLEEPWALKING’ RISK REMAINS; ‘PRIVACY IMPACT ASSESSMENTS’ PROPOSED FOR NEW LEGISLATION
November 15th, 2010 by Robin HopkinsThe Information Commissioner has delivered his latest report to the Home Affairs Select Committee on “the state of surveillance” in the UK. The report traces privacy-related developments since the Commissioner’s 2006 report on the same theme, which memorably observed that the UK may be “sleepwalking into a surveillance society”. According to the November 2010 report, that warning
“… is no less cogent in 2010 than it was several years ago. It is not being suggested that the UK is a ‘police state’ or that there are surveillance conspiracies afoot against the public. Neither the 2006 report nor this one supports such an assumption, and evidence for it is lacking. Much of what is taken to be surveillance is done for benign reasons and has beneficial effects on individuals and society. But much surveillance also goes beyond the limits of what is tolerable in a society based on the rule of law and human rights, one of which is the right to privacy.”
The report provides an illuminating summary of trends in (amongst others) the use of CCTV, body scanning and border control (including ‘ethnic targeting’ for security searches), workplace monitoring, social networking, ‘crowdsourcing’, the monitoring of protest activities and even the use of unmanned drones. Scrutiny is also given to a number of governmental policy tools, such as databases and the use of ‘social sorting’ (eg into groups such as ‘high cost, high risk’ social groups who are vulnerable to social exclusion’) to develop targeted welfare strategies.
As regards private-sector online commerce, the Commissioner recommends a number of measures to correct what he describes as the “worrying trend particularly with those who provide on-line services not to have thought through the privacy implications of their activities and given users robust privacy settings as a default”.
What to do about the risks identified in the report? The ICO’s recommendations focus principally on overhauling the legislative process insofar as it affects privacy, by introducing:
- a requirement for a privacy impact assessment to be presented during the parliamentary process where legislative measures have a particular impact on privacy;
- an opportunity for the Information Commissioner to provide a reasoned opinion to Parliament on measures that engage concerns within his areas of competence, and
- a legal requirement to make sure all new laws that engage significant privacy concerns undergo post-legislative scrutiny to ensure they are being implemented and used as intended by Parliament.
If implemented, these measures would add substantially to the ICO’s clout as the guardian of privacy.
The report can be found here, with the accompanying press release from the ICO here.
GOOGLE ESCAPES FINE OVER STREET VIEW CARS, BUT MUST SIGN UNDERTAKING
November 3rd, 2010 by Robin HopkinsGoogle used cars equipped with cameras to gather material for its much-publicised Street View feature. The material was not confined to photographs, but also included data by which wi-fi hotspots could be located. Earlier in 2010, the ICO investigated this ‘payload data’. It concluded that the information it had inspected was not personal data, in that it could not be linked to identifiable individuals. The ICO stated, however, that it would continue to work with its international counterparts, such as the Canadian authorities, in investigating Google. This co-operation has now shown the payload data to include URLs, passwords and email details.
The ICO today announced that:
“The Commissioner has concluded that there was a significant breach of the Data Protection Act when Google Street View cars collected payload data as part of their wi-fi mapping exercise in the UK. He has instructed Google UK to sign an undertaking in which the company commits to take action to ensure that breaches of this kind cannot happen again. An audit of Google UK’s Data Protection practices will also be undertaken. The Commissioner has rejected calls for a monetary penalty to be imposed but is well placed to take further regulatory action if the undertaking is not fully complied with”.
This follows the ICO’s press release on Monday, in which it commented that:
“It is also important to note that none of the regulators currently investigating Google Street View have taken direct enforcement action at this stage, with the US investigation led by the US Federal Trade Commission for example ruling out direct action, although mirroring our own concern that this data was allowed to be collected by an organisation who showed such disregard for international data protection legislation. This week the Metropolitan Police have also closed their case believing it would not be appropriate to pursue a criminal case against Google under the Regulation of Investigatory Powers Act (RIPA). Whilst we continue to work with our other international counterparts on this issue we will not be panicked into a knee jerk response to an alarmist agenda.”
The latter press release also explained the ICO is “keen to discuss with MPs and Ministers how we can further defend privacy on the internet as technologies and applications develop”. In this regard, the Guardian reports today that culture minister Ed Vaizey is proposing a new internet code of conduct and a mediation mechanism to resolve complaints by individuals against data controllers. He is reportedly meeting with the ICO today to discuss these matters. Watch this space.
ICO BEGINS TARGETED MONITORING OF TARDY AUTHORITIES
October 1st, 2010 by Robin HopkinsThe Information Commissioner’s Enforcement Team has begun cracking down on public authorities that habitually fail to respond to requests for information within the statutory limits. This morning, it began publishing a list – to be updated quarterly – of authorities whose timeliness will now be subject to specific monitoring by the ICO.
Those on the list have either (i) been the subject of six or more complaints of delay in the last six months, (ii) exceeded the time limit by a significant margin on at least one occasion, or (iii) appear to respond in time to fewer than 85% of requests.
There are 33 authorities on the first monitoring list.
For the ICO’s statement, click here. For the debut monitoring list, click here.
LABOUR PARTY IN THE DOG-HOUSE OVER AUTOMATED CALLS
February 11th, 2010 by Anya ProopsThe Commissioner has this week issued an enforcement notice to the Labour Party in response to its act of making unsolicited automated marketing calls without consent to almost half a million people. The calls were made in June 2009 and were designed to encourage people to vote in the European elections. The ICO held that, notwithstanding their inherently political nature, the actions taken by the Labour Party amounted to unlawful ‘direct marketing’ for the purposes of the Privacy and Electronic Communications Regulations 2003. The enforcement notice requires the Labour Party to desist from making further automated calls without the recipients’ consent. Breach of the notice will amount to a criminal offence and could lead to prosecution. This is not the first time that a political party has received an enforcement notice in response to making automated calls. Similar notices have previously been served on the Conservatives, the Scottish National Party and the Liberal Democrats. See further the Commissioner’s press release on this issue.
Demystifying Data Protection
November 27th, 2009 by Timothy Pitt-Payne QCThe Information Commissioner’s Office has just launched a Guide to Data Protection, available on the ICO website. At the heart of the guidance is a detailed commentary on each of the Data Protection Principles, and on the conditions for processing set out in Schedule 2 and 3 of the Act.
The Data Protection Act 1998 is, notoriously, not user-friendly. One of the problems is that so much of its central content is tucked away in the Schedules: for instance, you have to get as far as Schedule 7, paragraph 10 before you find out that there is an exemption to the right of subject access where information is protected by legal professional privilege. So assistance in navigating the legislation is very welcome.
On a first glance, the ICO Guide looks as if it will be of real help – clearly written, comprehensive, but not unduly lengthy. It will also be useful to those wanting to know how the ICO itself might interpret and enforce the Act.