Interfering with the fundamental rights of practically the entire European population

April 10th, 2014 by Robin Hopkins

In the Digital Rights Ireland case, the Grand Chamber of the CJEU has this week declared invalid the 2006 Directive which provides for the mass retention – and disclosure to policing and security authorities – of individuals’ online traffic data. It found this regime to be a disproportionate interference with privacy rights. Depending on your perspective, this is a major step forward for digital privacy, or a major step backwards in countering terrorism and serious crime. It probably introduces even more uncertainty in terms of the wider project of data protection reform at the EU level. Here is my synopsis of this week’s Grand Chamber judgment.

Digital privacy vs national security: a brief history

There is an overlapping mesh of rights under European law which aims to protect citizens’ rights with respect to their personal data – an increasingly important strand of the broader right to privacy. The Data Protection Directive (95/46/EC) was passed in 1995, when the internet was in its infancy. It provides that personal data must be processed (obtained, held, used, disclosed) fairly and lawfully, securely, for legitimate purposes and so on.

Then, as the web began to mature into a fundamental aspect of everyday life, a supplementary Directive was passed in 2002 (2002/58/EC) on privacy and electronic communications. It is about privacy, confidentiality and the free movement of electronic personal data in particular.

In the first decade of the 21st century, however, security objectives became increasingly urgent. Following the London bomings of 2005 in particular, the monitoring of would-be criminals’ web activity was felt to be vital to effective counter-terrorism and law enforcement. The digital confidentiality agenda needed to make space for a measure of state surveillance.

This is how Directive 2006/24 came to be. In a nutshell, it provides for traffic and location data (rather than content-related information) about individuals’ online activity to be retained by communications providers and made available to policing and security bodies. This data was to be held for a minimum of six months and a maximum of 24 months.

That Directive – like all others – is however subject to the EU’s Charter of Fundamental Rights. Article 7 of that Charter enshrines the right to respect for one’s private and family life, home and communications. Article 8 is about the right to the protection and fair processing of one’s personal data.

Privacy and Digital Rights Ireland prevail

Digital Rights Ireland took the view that the 2006 Directive was not compatible with those fundamental rights. It asked the Irish Courts to refer this to the CJEU. Similar references were made during different litigation before the Austrian Courts.

The CJEU gave its answer this week. In Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others (C‑293/12) joined with Kärntner Landesregierung and Others (C‑594/12), the Grand Chamber held the 2006 Directive to be invalid on the grounds of its incompatibility with fundamental privacy rights.

The Grand Chamber accepted that, while privacy rights were interfered with, this was in pursuit of compelling social objectives (the combatting of terrorism and serious crime). The question was one of proportionality. Given that fundamental rights were being interfered with, the Courts would allow the European legislature little lee-way: anxious scrutiny would be applied.

Here, in no particular order, are some of the reasons why the 2006 Directive failed its anxious scrutiny test (quotations are all from the Grand Chamber’s judgment). Unsurprisingly, this reads rather like a privacy impact assessment which data controllers are habitually called upon to conduct.

The seriousness of the privacy impact

First, consider the nature of the data which, under Articles 3 and 5 the 2006 Directive, must be retained and made available. “Those data make it possible, in particular, to know the identity of the person with whom a subscriber or registered user has communicated and by what means, and to identify the time of the communication as well as the place from which that communication took place. They also make it possible to know the frequency of the communications of the subscriber or registered user with certain persons during a given period.”

This makes for a serious incursion into privacy: “Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.”

Second, consider the volume of data gathered and the number of people affected. Given the ubiquity of internet communications, the 206 Directive “entails an interference with the fundamental rights of practically the entire European population”.

Admittedly, the 2006 regime does not undermine “the essence” of data protection rights (because it is confined to traffic data – the contents of communications are not retained), and is still subject to data security rules (see the seventh data protection principle under the UK’s DPA 1998).

Nonetheless, this is a serious interference with privacy rights. It has objective and subjective impact: “it is wide-ranging, and it must be considered to be particularly serious… the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.”

Such a law, said the Grand Chamber, can only be proportionate if it includes clear and precise laws governing the scope of the measures and providing minimum safeguards for individual rights. The 2006 Directive fell short of those tests.

Inadequate rules, boundaries and safeguards

The regime has no boundaries, in terms of affected individuals: it “applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime”.

It also makes no exception for “persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy”.

There are no sufficiently specific limits on the circumstances in which this can be accessed by security bodies, on the purposes to which that data can be put by those bodies, or the persons with whom those particular bodies may share the data.

There are no adequate procedural safeguards: no court or administrative authority is required to sign off the transfers.

There are also no objective criteria for justifying the retention period of 6-24 months.

The Grand Chamber’s conclusion

In summary, the Grand Chamber found that “in the first place, Article 7 of Directive 2006/24 does not lay down rules which are specific and adapted to (i) the vast quantity of data whose retention is required by that directive, (ii) the sensitive nature of that data and (iii) the risk of unlawful access to that data, rules which would serve, in particular, to govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality. Furthermore, a specific obligation on Member States to establish such rules has also not been laid down…”

There was also an international transfer aspect to its concern: “in the second place, it should be added that that directive does not require the data in question to be retained within the European Union…”

This last point is of course highly relevant to another of the stand-offs between digital privacy and national security which looms in UK litigation, namely the post-Snowden litigation against security bodies.

Robin Hopkins @hopkinsrobin

Steinmetz and Others v Global Witness: latest developments

April 2nd, 2014 by Robin Hopkins

Panopticon devotees will have noted that important DPA litigation is afoot between a group of businessmen (Beny Steinmetz and others) and the NGO Global Witness. The Economist has recently reported on the latest developments in the case: see here.

I particularly like the article’s subtitle: “Libel laws have become laxer. Try invoking data protection instead”. This is an observation I (and others) have made in the past: see here for example. The point appears to be gathering momentum.

Robin Hopkins @hopkinsrobin

Universal Credit reports

March 31st, 2014 by Rachel Kamm

The Tribunal has ordered disclosure of information about Universal Credit, in three appeals which were heard together: John Slater v ICO and DWP EA/2013/0145; DWP v ICO and John Slater EA/2013/0148; and DWP v ICO and Tony Collins EA/2013/0149. The Tribunal dismissed both of DWP’s appeals and allowed Mr Slater’s appeal (subject to the removal of some names from the information).

The disputed information in Mr Collins’s appeal was a Project Assessment Review of the Universal Credit Programme (UCP), which was prepared by the Cabinet Office’s Major Projects Authority in early November 2011 and requested by Mr Collins on 1 March 2012.

In Mr Slater’s case, the disputed information was the Risk Register, Issues Register and the High Level Milestone Schedule for UCP and he made the request on 14 April 2012. As described by the Tribunal, “All three categories of document are essential risk management and planning tools in any large long – running project. They are designed to identify and reduce uncertainty and to gain uncompromising input from the widest possible spectrum of participants. UCP, on which work began in 2011, is scheduled for completion in 2017” (§22).

In response to both requests, the DWP relied on the exemption in section 36 FOIA, on ground that, in the reasonable opinion of a qualified person (the Minister), disclosure of the information under FOIA would be likely to inhibit the free and frank provision of advice, or the free and frank exchange of views for the purposes of deliberation, or would be likely otherwise to prejudice the effective conduct of public affairs and that the balance of the public interest was in favour of maintaining this exemption.

The ICO found that the qualified exemption in section 36 was engaged, but that the balance of the public interest favoured disclosure of the Project Assessment Review, Issues Register and  High Level Milestone Schedule (but not the Risks Register).

On appeal, the Tribunal agreed with DWP and the ICO that the exemption in section 36 was engaged i.e. it was reasonable for the Minister to conclude that disclosure would be likely to inhibit the free and frank provision of advice, or the free and frank exchange of views for the purposes of deliberation, or would be likely otherwise to prejudice the effective conduct of public affairs. The test was whether there was a realistic possibility, not a 51%+ probability (§49).

Turning to the public interest, the Tribunal attached great importance “not only to the undisputed significance of UCP as a truly fundamental reform but to the criticism and controversy which it was attracting by the time of these requests in March and April, 2012″ (§55). The Tribunal also noted “the unfailing confidence and optimism of a series of press releases” and that UCP was described as on track when milestones had not been achieved on time. It commented that “Where, in the context of a major reform, government announcements are so markedly at odds with current opinion in the relatively informed and serious media, there is a particularly strong public interest in up to date information as to the details of what is happening within the programme, so that the public may judge whether or not opposition and media criticism is well – founded” (§56). It took into account the costs of the programme and the size of the IT interface with local authority systems (§57). Publication of the disputed information upon completion of UCP, “would be a wholly inadequate answer to the demands for transparency” (§58).

On the other hand, the Tribunal acknowledged that the ‘safe space’ requirement can apply in section 36 (as well as section 35) cases (§59). The Tribunal did not take into account evidence which had been given by the Department of Health in a different Tribunal appeal, but which this Tribunal had not seen and which had not been tested in cross examination §61). There was no evidence that disclosure of another risk document, the Starting Gate Review, had inhibited frank discussion (§62). In this context, the need for a degree of deference to the experience of senior public authorities was not as pressing as when tackling questions of security or foreign policy: “The duty of the Tribunal is to consider government evidence on issues such as these carefully, conscious of the experience and expertise of the witness, but using its own knowledge of appeals of this kind, of institutions and behaviour in the workplace to determine whether government information requires the protection claimed, considering the importance of the subject matter to the public. We are not persuaded that disclosure would have a chilling effect in relation to the documents before us“ (§63).

As to diversion of resources if the disputed information was disclosed, the Tribunal commented that ”a programme such as UCP required at the outset a clear public relations strategy and a substantial staff to handle the inevitable flow or even torrent of inquiries and bad news stories which such an important change must attract” and that delivery of UCP may be facilitated by good communication (§64).

Having reached the above general conclusions, the Tribunal considered each of the requested documents in turn. It found that the public interest was in favour of disclosing the information, taking into account in particular that “Ordinary people, properly informed, are capable of grasping why a document dwells on problems rather than successes” and that whilst there may be some prejudice to DWP, the public interest required disclosure. It dismissed DWP’s appeals and allowed Mr Slater’s appeal (subject to the removal of some names from the information), thereby ordering disclosure under FOIA of each of the documents.

Julian Milford represented DWP and Robin Hopkins represented the ICO.

Rachel Kamm, 11KBW

 

 

 

FOIA’s not all that: Kennedy v The Charity Commission [2014] UKSC 20

March 28th, 2014 by Tom Cross

 

The Supreme Court’s much anticipated judgments in Kennedy v The Charity Commission make for a long read. But they are very important. All the parties in Kennedy were represented by Counsel from 11KBW: Andrew Sharland for Mr Kennedy; Karen Steyn and Rachel Kamm for the Charity Commission and the Secretary of State; Ben Hooper for the ICO; and Christopher Knight for the Media Legal Defence Initiative and Campaign for Freedom of Information.

The factual background is described in previous posts. In short the appeal concerned a FOIA request made by Mr Kennedy, a journalist at The Times, in June 2007, for disclosure of information concerning three inquiries conducted by the Charity Commission between 2003 and 2005 into the ‘Mariam Appeal’, which was launched by Mr George Galloway in connection with the sanctions imposed on Iraq following the first Gulf War. The Charity Commission relied on section 32(2) of FOIA in refusing the request. That provides an absolute exemption from disclosure where information held by a public authority is held only by virtue of being contained in either (a) any document placed in the custody of a person conducting an inquiry or arbitration, for the purposes of the inquiry or arbitration, or (b) any document created by a person conducting an inquiry or arbitration, for the purposes of the inquiry or arbitration. The Court of Appeal had held that this exemption applied to a request made in 2007 concerning inquiries which had finished in 2005.

The two primary questions for the Supreme Court were (1) whether the absolute exemption in section 32(2) continued after the end of an inquiry (so that Mr Kennedy was precluded from receiving the information); and (2) if so, what, if any difference Mr Kennedy’s rights under article 10 of the European Convention on Human Rights (the “ECHR”) made to that result. In the result the Court’s discussion ranged more widely than may have been anticipated.

The majority of the Court agreed with the judgments of Lord Mance and Lord Toulson. (Lord Sumption gave a separate, concurring, judgment). The majority decided as follows.

(1) Section 32(2) continues to apply after the end of an inquiry

The Court held that the absolute exemption in section 32(2) FOIA does last beyond the end of an inquiry until the relevant information is destroyed or for up to 30 (or in future 20) years under the Public Records Act 1958. There were two principal reasons. First, that construction was supported by the words of the section themselves read as a whole. The words “for the purposes of the inquiry or arbitration” qualified the immediately preceding words in 32(2)(a) and (32)(2)(b) and referred to the original purpose for which the relevant documents were placed in the custody of, or were created by, a person conducting an inquiry. Secondly, the Court considered that its interpretation sat comfortably within FOIA as a whole.  Under section 62(1) FOIA, a record becomes a “historical record” at the end of 30 years, and, under section 63(1), information contained in a historical record cannot be exempt information because of section 32. Lords Mance and Toulson considered that, in that context, information falling within section 32 would continue to be exempt for 30 years instead of ceasing to be exempt at the end of an inquiry. That meant that, absent Mr Kennedy’s being able to demonstrate that Article 10 required a different result, he would not be entitled to the information he sought under FOIA itself.

(2) Article 10 ECHR did not lead to a different construction of section 32(2)

Mr Kennedy argued that if (as the Court held, above) he was not entitled to the information because of s.32(2), section 32(2) was incompatible with his rights under Article 10 ECHR, and that it should be ‘read down’ under the HRA (at the very least so as to mean that s.32(2) ceased to be an absolute exemption after the end of an inquiry).

There were two bases on which the Court decided that Article 10 did not, however, assist him.

The first was that there was no basis for concluding that section 32(2) was inconsistent with Article 10 in circumstances where s.32(2) put him in no less favourable a position than he was otherwise in under general statute and common law to access the information. That was because FOIA is not the only means through which information can be accessed. What section 32(2) of FOIA does is to take information falling within the absolute exemption outside the scope of that particular disclosure regime; but this does not mean that the information subject to the exemption could not otherwise be required to be disclosed by law.  Other statute, or the common law, might require disclosure, even though FOIA did not. According to the majority it could not be said that section 32(2) of FOIA was incompatible with the ECHR in those circumstances.

This is, plainly, a point of wider significance. It may be that the extent to which Article 10 may lack application because of the existence of equivalent rights of access under other statute or common law is likely to depend on the circumstances.

Both Lord Mance and Lord Toulson discussed rights of access to information in the specific context of Mr Kennedy’s request. In Lord Mance’s opinion, the Charity Commission had the power to disclose information to the public concerning inquiries on which it has published reports, both in pursuit of its statutory objective under the Charities Act 1993 (since replaced with the Charities Act 2011) of increasing public trust in, and the accountability of, charities, and under general common law duties of openness and transparency on public authorities. Lord Toulson placed greater emphasis on the fundamental principle of open justice forming part of the common law:

‘It has long been recognised that judicial processes should be open to public scrutiny unless and to the extent that there are valid countervailing reasons. This is the open justice principle. The reasons for it have been stated on many occasions. Letting in the light is the best way of keeping those responsible for exercising the judicial power of the state up to the mark and for maintaining public confidence’ (paragraph 110)

The exercise of the power of disclosure pursuant to the open justice principle would be subject to judicial review. Lord Mance considered that the courts should apply a high standard of review to any decision not to disclose information in answer to questions of real public interest raised by a journalist in relation to inquiries on which the Charity Commission has published reports (see e.g. paragraph 56).

The second reason why Mr Kennedy was not assisted by Article 10 according to the majority was that article 10 was not engaged because it does not impose a freestanding positive general duty of disclosure on public authorities. There is a particularly detailed discussion of the recent developments in the case law of the European Court of Human Rights in the judgment of Lord Mance at paragraphs 57-100, which starts with the statement that the jurisprudence ‘is neither clear nor easy to reconcile’. Technically, the discussion is obiter, because, on the majority’s approach, it was unnecessary to decide the point for the resolution of the appeal. But it will remain, on the present state of the Strasbourg case law, difficult or impossible for requesters to rely on Article 10 as a means of arguing for a more favourable construction of FOIA.

Mr Kennedy’s appeal was, accordingly dismissed. His request under FOIA was properly refused in reliance on s.32(2) and Article 10 did not assist him.

Lord Wilson and Lord Carnwath, dissenting, would have allowed the appeal on the basis that Article 10 was engaged by Mr Kennedy’s FOIA request and should have led to s.32(2) being read down such that the absolute exemption expired at the end of the relevant inquiry.

My own view is that the greatest significance of Kennedy is its highlighting of the fact that FOIA is only one means of obtaining information from public authorities. If a different statutory or common law basis may be found for invoking a right in particular circumstances, a judicial review application may also be available. Whether that is a wise route for requesters to pursue, including given the costs implications of that form of litigation which do not apply in the same way in the tribunal, is a different question, but it is one to which fresh consideration might now be given in appropriate cases.

 

ICO cannot have a second go

March 25th, 2014 by Robin Hopkins

Okay, the following points are mainly about procedure, but they are nonetheless quite important for those involved in FOIA litigation before the Tribunals. These points come from a pair of recent Upper Tribunal decisions, both arising out of requests from the same requester.

One is IC v Bell [2014] UKUT 0106 (AAC): Bell UT s58. Question: suppose the First-Tier Tribunal thinks the ICO got it wrong in its decision notice. Can it remit the matter to the ICO for him to think again and issue another decision notice on the same complaint? Answer: no, it can’t; it must dispose of the appeal itself. There are some exceptions, but that is the general view with which parties should approach Tribunal litigation.

That Bell decision also comments on the importance, in relevant circumstances, of the Tribunal ensuring that it gets the input of the public authority and not just of the ICO, as there will be cases where only the public authority can really provide the answers to questions that arise at the Tribunal stage.

That same Bell decision also explores this point, for those with an interest in FOIA and statutory construction (surely there are some of you?): under s. 58 of FOIA, unless the Tribunal is going to dismiss an appeal, it must “allow the appeal or substitute such other notice as could have been served by the Commissioner” (my emphasis). That is curious. Quite often, Tribunals do both of those things at the same time. What to make of this? Judge Jacobs explains in the Bell decision.

There was also a second Bell appeal on the same day: Bell UT s14. Same Bell, different public authority and separate case: IC and MOD v Bell (GIA/1384/2013). This was about s. 14 of FOIA (vexatious requests). The public authority had provided lots of detail about the background to the series of requests to make good its case under s. 14. But there was a paper hearing rather than an oral one and the Tribunal appears to have overlooked some of that detail and it found that s. 14 had been improperly applied.

Judge Jacobs overturned that decision. One reason was this: when a binding and decisive new judgment (here, Dransfield) appears between the date of a hearing and the date of the Tribunal’s final deliberations, justice requires that the parties be given an opportunity to make submissions on the application of that judgment.

Another was that the Tribunal had failed properly to engage with the documentary evidence before it. “That is why the papers were provided: to be read. A tribunal is not entitled to rely on the parties to point to the passages that it should read and to look at nothing else” (my emphasis). This underlined point is obviously of general application to Tribunal litigation.

Robin Hopkins @hopkinsrobin

Data protection and compensation: the “irreversible march” towards revolutionary change

March 21st, 2014 by Robin Hopkins

At 11KBW’s Information Law conference this past Tuesday, I talked a bit about the progress of the draft EU Data Protection Regulation. I omitted to mention last week’s development (my reason: I was on holiday in Venice, where data protection seemed less pressing). In a plenary session on 12 March, the European Parliament voted overwhelmingly in support of the Commission’s current draft of the Regulation. This is all explain in this Memo from the European Commission. Here are some key points.

One is the apparently “irreversible” progress towards getting the Regulation onto the EU statute books. “The position of the Parliament is now set in stone and will not change even if the composition of the Parliament changes following the European elections in May. As a reminder, the remaining stage is for the European Council to agree to the proposal. Its ministers are meeting again in early June. So far, they have been broadly supportive.

Another point is about business size and data protection risk: SMEs will not need to notify (so where will the ICO get its funding?), they won’t need to have data protection officers or carry out privacy impact assessments as a default rule. “We want to make sure that obligations are not imposed except where they are necessary to protect personal data: the baker on the corner will not be subject to the same rules as a (multinational) data processing specialist.”

A third point has great consequences for international transfers: “Non-European companies, when offering services to European consumers, will have to apply the same rules and adhere to the same levels of protection of personal data. The reasoning is simple: if companies outside Europe want to take advantage of the European market with more than 500 million potential customers, then they have to play by the European rules”.

Fourth, the “right to be forgotten” is still very much on the agenda. “If an individual no longer wants his or her personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system” (subject to freedom of expression). This “citizen in the driving seat” principle, like the consistency aim (the same rules applied the same away across the whole EU) and the “one-stop shop” regulatory model has been part of the reform package from the outset.

A final point is that the Parliament wants regulators to be able to impose big fines: “It has proposed strengthening the Commission’s proposal by making sure that fines can go up to 5% of the annual worldwide turnover of a company (up from 2% in the Commission’s proposal)”. Monetary penalties will not be mandatory, but they will potentially be huge.

On this last point about money: as under the current law, a regulatory fine is one thing and the individual’s right to be compensated another. At out seminar on Tuesday, we discussed whether there would soon be a sweeping away (see for example the Vidal-Hall v Google litigation) of the long-established Johnson v MDU principle that in order to be compensated for distress under section 13 of the DPA, you need first to prove that you suffered financial loss. That may well be so for the DPA, in which case the short- and medium-term consequences for data protection litigation in the UK will be huge.

But it is important to be clear about the longer term: this is going to happen anyway, regardless of any case-law development in UK jurisprudence. Article 77 of the current draft of the Regulation begins like this “Any person who has suffered damage, including non-pecuniary damage, as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to claim compensation from the controller or the processor for the damage suffered”.

If we are indeed irreversibly on track towards a new Regulation, then data protection litigation – notably, though not only about compensating data subjects – is guaranteed to be revolutionised.

Robin Hopkins @hopkinsrobin

A history and overview of the FOIA/EIR veto

March 21st, 2014 by Robin Hopkins

The ‘veto’ (ministerial certificate) provision under s. 53 of FOIA (imported also into the EIRs) has been much discussed – on this blog and elsewhere – of late. Here is another excellent resource on the subject which is worth drawing to the attention of readers who want to understand this issue in more detail. Earlier this week, the House of Commons library published this note by Oonagh Gay and Ed Potton on the veto, its use to date, and comparative jurisdictions (Australia, New Zealand, Ireland).

Robin Hopkins @hopkinsrobin

Stop Press: Supreme Court to Hand Down Kennedy Judgment on Weds 26 March 2014

March 20th, 2014 by Christopher Knight

The Supreme Court has announced on its website that it will hand down judgment in the long-running saga of Kennedy v Charity Commission on Wednesday 26 March 2014. The judgment is expected to address the construction of section 32 FOIA and the extent to which Article 10 ECHR can be used to found a right of access to information. The judgment hand-down will be at 9.45 and can be watched live through the Supreme Court’s website.

Christopher Knight

Government security classifications to change on 2 April 2014

March 19th, 2014 by Tom Ogg

The government currently uses a scheme of ‘protective markings’ to classify the sensitivity of the information and documents it holds.  The protective markings are, in ascending order of security, protect; restricted; confidential; secret; top secret.  For further information see the HMG Security Policy Framework.

As of 2 April 2014 protective markings will be abolished and replaced by ‘security classifications’.  Those security classifications will be ‘official’, ‘secret’, and ‘top secret’.

For further information see the document Government Security Classifications and accompanying guidance.

Thomas Ogg

The Not Entirely Secret Diary of Mr Lansley

March 18th, 2014 by Timothy Pitt-Payne QC

 What considerations are relevant when deciding whether a Ministerial diary should be disclosed under FOIA?  The decision of the First-tier Tribunal in Department of Health v Information Commissioner EA/2013/0087 is, perhaps surprisingly, the first Tribunal decision to address this issue.  The judgment engages with a number of difficult issues:  the Tribunal’s approach to Government evidence, the value of cross-examination in Tribunal hearings, aggregation of public interests under FOIA, and Parliamentary privilege.  Hence it is of general importance, going beyond the intrinsic interest of its specific subject matter.

The request was for the Ministerial diary of the Rt Hon Andrew Lansley MP for the period 12th May 2010 to 30th April 2011, during which he was Secretary of State for Health.  During this period, the Minister’s primary focus was the Department’s NHS reform programme.  The requester was a journalist dealing with health issues.  After the Department refused the request, and maintained its refusal on internal review, the requester complained to the Information Commissioner.  In the course of the Commissioner’s investigation the Department disclosed a heavily redacted version of the diary.

The Commissioner ordered the Department to disclose the whole diary, with very limited redactions.  On the Department’s appeal, the First-tier Tribunal upheld the Commissioner’s decision, with minor modifications reflecting points that were conceded by the Commissioner before the Tribunal.

The material before the Tribunal included witness statements from Sir Alex Allan and Paul Macnaught in support of the Department’s case.  Sir Alex is a distinguished former civil servant, currently the Prime Minister’s Independent Adviser on Ministerial Interests.  Mr. Macnaught is the Director of Assurance at the Department.  The Commissioner had initially accepted that the hearing should take place without oral evidence, but on the Tribunal’s request Sir Alex and Mr. Macnaught attended the hearing and were questioned.

At the start of its decision, the Tribunal considered whether the entire contents of the diary were “held” by the Department, within the meaning of FOIA section 3(2).  In this context it focused on the entries that related to non-Ministerial activities such as constituency work.  The Department accepted that these entries were held by the Department when they were first made, but contended that by the time of the request the Department was merely providing electronic storage for this information.  The Tribunal rejected this.  There was no evidence of the Minister asking the Department to store this information; and even after the engagements had been fulfilled the information remained of potential value to the Department, e.g. if there was a need to check where the Minister had been at a particular time.  The whole of the diary, therefore, was held by the Department and potentially disclosable under FOIA.

As to the personal data exemption (section 40(2)), there was little controversy except in relation to meetings between the Minister and constituency MPs acting as elected representatives.  The Commissioner considered that the identity of the MPs should be disclosed; the Department did not concede this; and the Tribunal agreed with the Commissioner.

In relation to the national security exemption (ss 23(5) and 24(2)) there was no dispute between the Commissioner and the Department as to the information that ought to be withheld.  The Tribunal considered that it would be sterile to address the areas of disagreement as to the precise application of these two exemptions.

The main area of controversy was the application of the exemptions in s 35(1)(a) (formulation or development of Government policy), s 35(1)(b)  (Ministerial communciations), and s 35(1)(d) (operation of a Ministerial private office).  By the time the Tribunal came to make its decision, the Commissioner accepted that these exemptions were applicable where claimed by the Department: so the issue was whether the public interest in maintaining the exemptions outweighed the public interest in disclosure.

At the start of its consideration of the public interest test, the Tribunal addressed a number of general issues.

It began by considering the value of oral evidence.  The Tribunal referred to what was said about cross-examination by the Upper Tribunal in APPGER v IC and FCO [2013] UKUT 560 (AAC).  It interpreted the Upper Tribunal’s remarks as highlighting the need to consider whether cross-examination was necessary in the particular case, but not as ruling it out.  The Tribunal considered that oral evidence and cross-examination could often be of great assistance; in particular it affirmed the value of testing the public authority’s evidence in this way where cases involved a difficult judgment on the balance of public interest.  Cross-examination could be especially important where there was closed evidence.

Next, the Tribunal considered the extent to which deference should be given to Government evidence, and the relevance (if any) of the case law about public interest immunity (PII) when applying the public interest test under FOIA.  The Tribunal rejected the contention that FOIA cases and PII cases should in all respects be approached in the same way.  The remarks in the APPGER case about the relevance of PII were intended to emphasise the need, in both PII and FOIA cases, properly to identify the factors for and against disclosure; they were not meant to assimilate FOIA and PII in all respects.  The Tribunal accepted that proper weight should be given to the expertise of Government witnesses; but, if “deference” meant that their evidence should be accepted unless it lacked any rational basis or was given in bad faith, then the Tribunal rejected the suggestion that it should show deference to that evidence.  Broadly speaking, the Tribunal accepted that the Government’s expertise would carry greater weight in relation to state security or international relations than in s 35 cases, but this was not a hard and fast distinction.

When it came to striking the public interest balance, the Tribunal emphasised the need to identify the particular benefits and detriments, and their likelihood, on each side of the equation.  At the same time, the Tribunal recognised the assumption underlying FOIA, that there is a general public interest in the transparency of public authorities; in many cases it would only be possible for the benefits of disclosure to be identified at a high and generic level.  It indicated that the inclusion (e.g. in skeleton arguments) of a table summarising the various factors and their significance could often be of assistance.

The discussion of aggregation is particularly interesting.  Since the decision of the European Court in the Ofcom case, Tribunals in EIR cases have been required to look at exemptions on an aggregated basis, considering the overall public interest balance for and against disclosure; there is as yet no definitive judgment as to whether the same approach applies under FOIA.  Here, the Tribunal took a middle position between the submissions made for the Department and the Commissioner.  It accepted (contrary to the Commissioner’s position) that aggregation applied under FOIA.  But it took a more limited view of aggregation than did the Department:  properly understood, Ofcom supported aggregation in EIR cases only where there was an overlap between the interests served by the different exemptions, and the same approach should be applied under FOIA.

In relation to Parliamentary materials, the Department had relied upon parts of chapter 6 of the House of Commons Justice Committee report:  Post-legislative scrutiny of the Freedom of Information Act 2000 (3rd July 2012).  The Tribunal considered whether it was proper to take this material into account, having regard to Parliamentary privilege.  It discussed the decision of Stanley Burnton J in the OGC case, and the less restrictive approach to the use of Parliamentary materials adopted in the R (Age UK) v Secretary of State for Business, Innovation and Skills [2009] EWHC 2336 (Admin):  the Tribunal decided to follow the Age (UK) case.  The Tribunal took into account the material relied upon by the Department, and found it helpful by way of background, but stated that it would be inappropriate to rely on any particular view expressed to or by the Parliamentary Committee.

The Tribunal then carried out the public interest balance in relation to the disputed information (i.e. the relevant Ministerial diary).  In respect of both the interests favouring disclosure and the interests in maintaining the section 35 exemptions, the Tribunal summarised its conclusions in a table, setting out the factors taken into account and the impact of disclosure on those factors.  For instance, in terms of the interests served by disclosure, it considered that there would be a “positive” impact in relation to “accountability:  whether the public was getting good value from the Minister and whether he was properly carrying out his functions”.  In terms of the adverse impacts of disclosure, it considered that a “modest additional burden” was likely by reason that “potentially misleading information would need to be explained”.  A number of factors for and against disclosure were listed and assessed in a similar way.

In order to reach the conclusions set out in tabulated form, the Tribunal conducted a detailed assessment of the evidence given.  It was critical of some of the evidence given by the Department’s witnesses, and was careful to explain why despite their expertise it was departing from that evidence in some regards: this is the practical application of the Tribunal’s discussion of deference, earlier in the decision.  For instance, in relation to the public interest in favour of disclosure, the Department’s evidence was that this interest was substantially met by the publication of quarterly information releases about ministerial activity.  The Tribunal was critical of this part of the evidence for giving insufficient weight to the fact that the information releases (unlike the diary) did not cover meetings by video conference or telephone.  In relation to the public interests for maintaining the exemption, the Tribunal considered that some of the Department’s evidence was unrealistic:  for instance, it did not accept that the prospect of disclosure of their diaries would encourage Ministers to arrange unnecessary meetings as window dressing in order to deflect potential public criticism.  The overall effect of these criticisms, according to the Tribunal, was to reduce their confidence in the objectivity of the evidence and the accuracy and soundness of the witnesses’ evaluative judgments.

Overall, the Tribunal’s assessment was that the factors in favour of disclosure outweighed those in favour of maintaining the exemptions, but not by a particularly large margin.  With limited exceptions – reflecting concessions made by the Commissioner at the hearing – it upheld the Commissioner’s decision in favour of disclosure.

Apart from the interest of its specific subject-matter, the case is of general importance in relation to the Tribunal’s approach to the public interest test, especially under section 35.  It both exemplifies and defends the Tribunal’s established approach:  i.e. the Tribunal will consider Government evidence carefully; witnesses will be cross-examined on their assessment of the factors for and against disclosure; the Tribunal will take account of witness expertise, but will ultimately form its own view; and the Tribunal will reject Government evidence where it thinks it appropriate to do so, notwithstanding the absence of witness evidence taking a contrary view.  The central question on any appeal will be whether this approach requires modification.

Timothy Pitt-Payne QC