Late last year, Julian Wilson blogged about the Digital Economy Act 2010, and the judicial review challenge to its compliance with EU law – including data protection law. With those proceedings drawing near, I have written a thought piece for Practical Law on some of the related issues, available here.
THE EVOLVING BATTLE AGAINST ILLEGAL FILE-SHARING: SOME DATA PROTECTION OBSERVATIONS
March 3rd, 2011 by Robin HopkinsSCOTTISH GOVERNMENT ISSUES PRIVACY GUIDANCE
January 5th, 2011 by Robin HopkinsThe Scottish Government has published its guidance document on Identity Management and Privacy Principles. The guidance is aimed at both public sector policy makers and with those involved in devising or operating systems for proving or recording identity. Key principles include:
- For services which are used frequently and for which identification is needed, users should be required to register only once. Thereafter, unless there is a statutory requirement to prove identity, a person should generally be able to access the service by authenticating themselves using a token (such as a bus pass or library card) that proves their entitlement without revealing personal information. In other circumstances, a user name and a password may be required.
- A Privacy Impact Assessment (PIA) or proportionate equivalent should be conducted and published prior to the implementation of a project which involves the collection of personal information.
- Where a public body has a contract with the private sector or the third sector, the contractor must be contractually bound to adhere to best practice as outlined in the guidance.
- The creation of centralised databases of personal information is to be avoided.
- If a public service organisation needs to link personal information from different systems and databases (internally or between organisations), it should avoid sharing persistent identifiers. Instead, other mechanisms – such as matching – should be considered.
LOCAL AUTHORITY ORDERED TO RETAIN COURT JUDGMENT IN INDIVIDUAL’S FILE
January 5th, 2011 by Robin HopkinsThe Administrative Court’s (as yet unreported) judgment in R (on the application of N) v a Local Authority in December 2010 saw the quashing of a decision to withdraw a licence to be in contact with children. The case concerned the familiar public law principles of judicial review and human rights, but from an information law perspective, the point of interests is this: in reaching its decision to withdraw the individual’s licence, the local authority compiled information on that individual, including the allegations made against him (namely, that he was a paedophile with a history of sexual offences) as well as its meetings with the individual. Ockleton J not only overturned the local authority’s decision, but also directed it to keep a copy of the judgment with its records relating to the matter, so that its records on this individual were full and accurate. Otherwise, he ruled, the local authority’s file on this individual was potentially misleading to anyone subsequently accessing it.
DISCLOSING DATA FOR PURPOSES OF MEDICAL RESEARCH – NEW ECHR JUDGMENT
November 23rd, 2010 by Anya ProopsMany readers of this blog will be familiar with the stringent protections which the Data Protection Act 1998 (DPA) affords in respect of personal health data (see further the definition of ‘sensitive personal data’ in s. 2 DPA). Thus, for example, if a data controller wishes to avoid contravening the first data protection principle (the fair and lawful processing principle) as and when it is processing health data, it must ensure that: (a) the particular processing is fair and lawful; (b) that it meets one of the conditions provided for in schedule 2 to the DPA and (c) that it meets one of the very narrowly drawn conditions provided for in schedule 3 to the DPA. If the processing is intended to serve the interests of medical research, the data controller will doubtless wish to look in particular at the condition provided for in paragraph 8 of schedule 3. That condition stipulates that the processing must be ‘necessary for medical purposes’ (which includes the purposes of medical research) and be undertaken either be ‘a health processional’ or ‘a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if the person were a health professional’. Of course, the principle which underpins this particular condition is that it is very much in the public interest that, subject to the test of necessity, health data be shared by medical researchers. A recent judgment of the European Court of Human Rights (ECHR) has highlighted the importance of this particular public interest: Gillberg v Sweden (application no. 41723/06).
In Gillberg, two researchers requested access to health data which had been accumulated by Professor Gillberg as part of a long-term project on hypheractivity and attention deficit disorders in children which he was running out of the University of Gothenburg in Sweden. The University refused access on the basis that assurances had been given to the parents of the children and later the children themselves concerning the confidentiality of the data. The researchers challenged the University’s decision relying on Sweden’s long-established and generous rules on access to official documents. The Swedish administrative court upheld the researchers’ claim and ordered that the University disclose the data to them, subject to the imposition of strict conditions on their handling and use of the data. In reaching the conclusion that the data should be disclosed to the researchers, the Swedish court took into account not least the public interest in ensuring the independent and critical evaluation of medical research in the important field of neuropsychiatry. The data was subsequently destroyed by certain of Professor Gillberg’s colleagues. Thereafter, Professor Gillberg was convicted of misuse of office by the Swedish Parliamentary Ombudsman. Having lost his appeals against conviction in the national courts, Professor Gillberg took his case to the ECHR claiming that the conviction breached his Article 8 and 10 rights, particularly in view of the assurances of confidentiality which he had given to the data subjects and their parents. The ECHR dismissed Professor Gillberg’s appeal. It found that, even if the conviction interfered with Professor Gillberg’s Article 8 right to privacy (i.e. his right to privacy in the context of his professional affairs), that interference was justified in the circumstances. It also found that there was no interference with Professor Gillberg’s Article 10 right to freedom of expression as he was convicted not for giving assurances of confidentiality but rather because he misused his office in response to the judgments of the court.
The ECHR’s judgment is interesting not least because it confirms that, at least for the purposes of human rights jurisprudence, the fact that promises of confidentiality have been given to individual patients/research subjects does not create an automatic bar on disclosures which may breach those promises, particularly where the disclosures serve important public interests such as the interests in protecting the integrity and progress of medical research. Query whether the same result would have obtained on an application of the principles embodied in the DPA, particularly in view of the relatively permissive approach to disclosures for the purposes of medical research contained in paragraph 8 of schedule 3.
ICO SIGNS UNDERTAKING WITH GOOGLE AND DEFENDS ITS STANCE
November 22nd, 2010 by Robin HopkinsI reported in a recent post that the Information Commissioner had instructed Google to sign an undertaking aimed at any repeat of the breaches of the Data Protection Act 1998 committed during Google’s information-gathering for its Street View feature. That undetaking has now been signed, and a copy can be viewed here. It requires Google engineers to maintain a “privacy design document” for each new Google project prior to launch. It provides for further training and data protection awareness for Google engineers and other employees. The undertaking also assures the deletion of all personal data which had been gathered unlawfully, and provides for the Commissioner to audit Google’s revamped data protection procedures nine months from now. Interestingly, the undertaking applies to Google’s global activities and not just its UK ones.
The ICO has come under fire for being soft on Google. The Commissioner, Christopher Graham, has defended his stance, including in an interview with the Daily Telegraph which can be found here. In that interview, the Commissioner remarks that “a lot of people out there want somebody – probably not me – to be the privacy tsar. But that’s not what the Information Commissioner is”. Recent indications suggest, however, that the ICO could potentially take on a “privacy tsar” role – see the recommendations from its recent surveillance report, summarised here.
ICO’S SURVEILLANCE REPORT 2010: ‘SLEEPWALKING’ RISK REMAINS; ‘PRIVACY IMPACT ASSESSMENTS’ PROPOSED FOR NEW LEGISLATION
November 15th, 2010 by Robin HopkinsThe Information Commissioner has delivered his latest report to the Home Affairs Select Committee on “the state of surveillance” in the UK. The report traces privacy-related developments since the Commissioner’s 2006 report on the same theme, which memorably observed that the UK may be “sleepwalking into a surveillance society”. According to the November 2010 report, that warning
“… is no less cogent in 2010 than it was several years ago. It is not being suggested that the UK is a ‘police state’ or that there are surveillance conspiracies afoot against the public. Neither the 2006 report nor this one supports such an assumption, and evidence for it is lacking. Much of what is taken to be surveillance is done for benign reasons and has beneficial effects on individuals and society. But much surveillance also goes beyond the limits of what is tolerable in a society based on the rule of law and human rights, one of which is the right to privacy.”
The report provides an illuminating summary of trends in (amongst others) the use of CCTV, body scanning and border control (including ‘ethnic targeting’ for security searches), workplace monitoring, social networking, ‘crowdsourcing’, the monitoring of protest activities and even the use of unmanned drones. Scrutiny is also given to a number of governmental policy tools, such as databases and the use of ‘social sorting’ (eg into groups such as ‘high cost, high risk’ social groups who are vulnerable to social exclusion’) to develop targeted welfare strategies.
As regards private-sector online commerce, the Commissioner recommends a number of measures to correct what he describes as the “worrying trend particularly with those who provide on-line services not to have thought through the privacy implications of their activities and given users robust privacy settings as a default”.
What to do about the risks identified in the report? The ICO’s recommendations focus principally on overhauling the legislative process insofar as it affects privacy, by introducing:
- a requirement for a privacy impact assessment to be presented during the parliamentary process where legislative measures have a particular impact on privacy;
- an opportunity for the Information Commissioner to provide a reasoned opinion to Parliament on measures that engage concerns within his areas of competence, and
- a legal requirement to make sure all new laws that engage significant privacy concerns undergo post-legislative scrutiny to ensure they are being implemented and used as intended by Parliament.
If implemented, these measures would add substantially to the ICO’s clout as the guardian of privacy.
The report can be found here, with the accompanying press release from the ICO here.
GOOGLE ESCAPES FINE OVER STREET VIEW CARS, BUT MUST SIGN UNDERTAKING
November 3rd, 2010 by Robin HopkinsGoogle used cars equipped with cameras to gather material for its much-publicised Street View feature. The material was not confined to photographs, but also included data by which wi-fi hotspots could be located. Earlier in 2010, the ICO investigated this ‘payload data’. It concluded that the information it had inspected was not personal data, in that it could not be linked to identifiable individuals. The ICO stated, however, that it would continue to work with its international counterparts, such as the Canadian authorities, in investigating Google. This co-operation has now shown the payload data to include URLs, passwords and email details.
The ICO today announced that:
“The Commissioner has concluded that there was a significant breach of the Data Protection Act when Google Street View cars collected payload data as part of their wi-fi mapping exercise in the UK. He has instructed Google UK to sign an undertaking in which the company commits to take action to ensure that breaches of this kind cannot happen again. An audit of Google UK’s Data Protection practices will also be undertaken. The Commissioner has rejected calls for a monetary penalty to be imposed but is well placed to take further regulatory action if the undertaking is not fully complied with”.
This follows the ICO’s press release on Monday, in which it commented that:
“It is also important to note that none of the regulators currently investigating Google Street View have taken direct enforcement action at this stage, with the US investigation led by the US Federal Trade Commission for example ruling out direct action, although mirroring our own concern that this data was allowed to be collected by an organisation who showed such disregard for international data protection legislation. This week the Metropolitan Police have also closed their case believing it would not be appropriate to pursue a criminal case against Google under the Regulation of Investigatory Powers Act (RIPA). Whilst we continue to work with our other international counterparts on this issue we will not be panicked into a knee jerk response to an alarmist agenda.”
The latter press release also explained the ICO is “keen to discuss with MPs and Ministers how we can further defend privacy on the internet as technologies and applications develop”. In this regard, the Guardian reports today that culture minister Ed Vaizey is proposing a new internet code of conduct and a mediation mechanism to resolve complaints by individuals against data controllers. He is reportedly meeting with the ICO today to discuss these matters. Watch this space.
DISSECTING PERSONAL DATA – BRYCE V INFORMATION COMMISSIONER
August 18th, 2010 by Anya ProopsSection 40 FOIA provides for a number of exemptions in respect of ‘personal data’. The exemption which is most frequently prayed in aid by public authorities is the one provided for under s. 40(2), read together with s. 40(3)(a)(i). In essence, under these provisions, information will be absolutely exempt from disclosure under FOIA if: (a) it amounts to personal data, as defined in s. 1 of the Data Protection Act 1998 (“DPA”) and (b) its disclosure would contravene one or more of the data protection principles provided for under schedule 1 to the DPA. In practice, it can be very difficult to apply this exemption, particularly where the information in issue may comprise personal data relating to a number of different individuals. It was precisely this issue which the Tribunal had to tackle in the recent case of Bryce v IC & Cambridgeshire Constabulary (EA/2009/0083). In Bryce, a request had been made by Ms Bryce for disclosure of a police investigation report. The report addressed concerns which had been raised by Ms Bryce and others about the way in which the Cambridgeshire Constabulary had investigated the death of Ms Bryce’s sister, who had been killed by her husband. The Tribunal held that the report contained a multiplicity of different types of personal data including: Ms Bryce’s personal data; the husband’s personal data; personal data relating to the husband’s family; the personal data of witnesses; personal data relating to the deceased’s family; and personal data relating to officers who had conducted the investigation. Apart from Ms Bryce’s own personal data, which was exempt from disclosure under s. 40(1) FOIA, the Tribunal approached the question of how the s. 40(2) exemption applied to the remaining data by conducting a discrete analytical exercise in respect of each type of data. It is clear from the Tribunal’s analysis that it was of the view that very different considerations applied, for example, in respect of officers’ data as compared with the data relating to the husband’s family. The key implication of this judgment is that a public authority will expose itself to challenge under FOIA if it simply adopts a blanket ‘one size fits all’ approach to information comprising diffuse types of personal data. The judgment is also notable in that it applies the approach to the concept of ‘personal data’ which was approved in Durant v Financial Services Authority, rather than the arguably more liberal approach embodied in the Commissioner’s guidance: ‘Determining What is Personal Data’.
LAW OF CONFIDENCE – THE TRUMP CARD IN MATRIMONIAL PROCEEDINGS
August 3rd, 2010 by Anya Proops
The Court of Appeal has recently handed down an important judgment on the application of the law of confidence in matrimonial proceedings: Tchenguiz & Ors v Imerman [2010] EWCA Civ 908. The background to the case was that an application for ancillary relief had been made by Mrs Tchenguiz Imerman (TI) against her husband, Mr Imerman. Fearing that Mr Imerman may seek to conceal the nature and extent of his assets in the context of the ancillary relief proceedings, one of TI’s brothers, possibly with the help of others, accessed a computer server in an office which Mr Imerman shared with TI’s brothers and then copied information and documents which Mr Imerman had placed on that server relating to his assets. In order to prevent TI relying on the information and the documents in the ancillary relief proceedings, Mr Imerman sought to restrain the defendants from communicating the information and documents which they had obtained to any third party (including TI and her lawyers). He also sought delivery up of all copies of the documents. Eady J granted the orders sought by Mr Imerman. The defendants appealed to the Court of Appeal. The central issue for the Court of Appeal was essentially whether TI should be allowed to use the information and documents in the context of the ancillary relief proceedings, despite the fact that they appeared to have been obtained by the defendants in breach of confidence and, hence, unlawfully. The case was rendered particularly complex as a result of what is commonly known in matrimonial proceedings as the ‘Hildebrande rules’. Historically, these rules have been applied by the courts in matrimonial ancillary relief proceedings so as generally to allow individuals to rely on evidence as to their spouses’ assets notwithstanding that that evidence has been unlawfully obtained.
In summary, the Court of Appeal held as follows:
· the information/documents had been unlawfully obtained by the defendants as they had been obtained in breach of confidence (and, further, in breach of Mr Imerman’s right to privacy);
· it may be that the obtaining of the information/documents had also amounted to: (a) criminal conduct on an application of s. 17 of the Computer Misuse Act 1990; (b) unlawful processing of Mr Imerman’s personal data under s. 4(4) Data Protection Act 1998 (DPA); and, further, (c) a criminal act under s. 55 DPA; although having found that the information/documents were obtained unlawfully in breach of confidence, the Court did not need to reach a concluded view on these issues;
· the question for the Court was whether it should effectively condone the illegal self-help methods adopts by the defendants simply because it was feared that Mr Imerman may behave unlawfully and conceal that which should be disclosed in the ancillary relief proceedings. The answer to that question was: ‘No’ (see para. 107). As the Court suggested: ‘The tort of trespass to chattels has been known to our law since the Middle Ages and the law of confidence for at least 200 years, yet no hint of any defences of the kind now being suggested is to be found anywhere in the books’ (para. 117). Thus, the Hildebrande rules could not be justified on any grounds;
· if there were concerns that an individual may seek dishonestly to conceal assets in the context of ancillary relief proceedings, the correct course would be for the spouse to seek to protect her/his position through lawful means, for example by applying to the court for an anton pillar order.
The judgment is important not least because it highlights the essentially inalienable nature of the common law rights to confidentiality and privacy. There is no doubt that the judgment will be controversial, not least because of concerns that it fails to recognise the significant power imbalance which often obtains between spouses in matrimonial proceedings.
LANDMARK IPT DECISION ON LOCAL AUTHORITY’S USE OF RIPA
August 2nd, 2010 by Robin HopkinsThe Investigatory Powers Tribunal today issued its decision in the first substantive public case on the use of surveillance powers under the Regulation of Investigatory Powers Act 2000.
Poole Borough Council suspected that Jenny Paton and her family may have lied about living in the catchment area of a sought-after primary school in Dorset. It therefore monitored their activity for around 3 weeks in 2008. This included covertly monitoring the movements of family members and their car, as well as examining the contents of their rubbish.
The IPT found that:
(1) investigating a potentially fraudulent school application was not a proper purpose in the sense required by RIPA;
(2) in these circumstances, the Council’s actions were in any event disproportionate, in that they were not necessary to achieve that aim, and
(3) the Council’s actions had breached the family’s rights under Article 8 of the ECHR.
Poole Borough Council has accepted the ruling and apologised to Ms Paton and her family.