April 30th, 2009 by Timothy Pitt-Payne QC
On 11 KBW’s main website, you can now find some conference papers delivered this month by members of chambers.
There’s a paper that I gave at a Northumbria University conference. The theme of the conference was information sharing; my paper is about the new law on breach of confidence (post-Campbell v MGN).
Yesterday, the LGG/11KBW legal update conference took place, with about 115 delegates. Karen Steyn gave a paper on recent case-law affecting local authorities; the first section is about information law. I gave a paper about employment vetting. In discussion, delegates were clearly very interested in getting to grips with the new ISA barring regime. Questions were raised about its implications for elected members of local authorities, and for volunteers (e.g. parents helping out in schools).
Another subject raised in discussion was the recent decision of the Administrative Court in R(G) v Governors of X School and Y City Council. A music assistant employed at a primary school was dismissed; the allegation was that he had formed an inappropriate relationship with a 15 year old boy who was on work experience at the school. The school’s disciplinary committee told the employee that they would be reporting the case to the Secretary of State for potential inclusion in “list 99″ (i.e. the statutory list of those banned from working in schools). The Court quashed the decision because the school had refused to allow legal representation at the dismissal hearing or at a forthcoming appeal. The disciplinary proceedings, and the referral to the Secretary of State for a potential banning direction, formed part of one and the same proceedings. Those proceedings were not criminal in nature for the purpose of article 6 of the Convention. However, their potential consequences were grave; and procedural fairness required the claimant to be allowed legal representation, before both the school’s disciplinary committee and its appeal committee.
April 29th, 2009 by Anya Proops
The Home Secretary has this week announced that proposals to create a State run super database, which would track everyone’s use of email, internet and text messages, have been scrapped. The announcement is hardly surprising. It was always going to be difficult to persuade the public that such a database could be kept secure, particularly in light of recent high profile controversies about large scale losses of electronic personal data by government agencies. Moreover, allowing the State to develop such a vast single repository of electronic communications data was always going to raise questions as to whether the resulting interference with private rights was proportionate and was otherwise consistent with the State’s obligations under the Data Protection Act 1998. The Government has now issued a consultation paper on new plans to allow telecommunications companies to retain the communications data for a period of 12 months. See further the Home Secretary’s Ministerial Statement.
April 27th, 2009 by Timothy Pitt-Payne QC
In November 2007 it was announced that HMRC had lost two CDs containing personal information about 25 million people. Since then there has been a steady stream of stories about data losses, mainly from the public sector.
The Data Protection Act 1998 requires appropriate measures to be taken against the accidental loss of personal data. Breach of this requirement can lead to enforcement action by the Information Commissioner. An individual whose data was lost could claim compensation from the data controller under section 13 of the Act, but only on proof of damage. If the individual had suffered identity fraud as a result of the breach then this would probably be sufficient. What if the individual argued that he was now at a higher risk of ID fraud, even though no fraud had yet taken place? Would this count as damage?
A US district court in California has recently considered a similar question. In Ruiz v Gap and Vangent a laptop was stolen containing unencrypted personal data of 750,000 Gap job applicants. In a class action, the plaintiff sued for negligence, contending that he and the other class members had suffered damage consisting of exposure to an increased risk of ID fraud. The Court granted summary judgment to the defendants and dismissed the claim. Speculative harm, or the threat of future harm, was not enough for a cause of action in negligence. The plaintiff relied on cases where recovery had been allowed for medical monitoring after negligent exposure to toxic substances; the court rejected the analogy. It also noted that Gap had informed those whose information was on the laptop, and had offered to provide them with 12 months of free credit monitoring. The plaintiff had not taken up this offer.
In policy terms it is questionable whether strengthening individual rights of action is the best way to deal with data loss. Of course, individuals who suffer direct financial loss – through ID fraud or otherwise – should be compensated. But in the Ruiz type of claim individual damages are likely to be modest. There is no great social benefit in spending a lot of time and money in order to provide a wide class of individuals with low-level compensation. Instead the focus should be on deterring breaches and avoiding recurrence. The Information Commissioner’s new power to fine for serious data protection breaches (DPA section 55A) is a step in the right direction, though not yet in force.
If the UK regulatory framework needs further strengthening then one option would be legislation requiring data controllers to notify affected individuals where information is lost or stolen. Last year the Thomas/Wolpert data sharing review recommended notification to the Information Commissioner as good practice, but not as a mandatory requirement. The Government agreed. Its response (see page 19) made clear that it had considered, and rejected, the possibility of a US-style law requiring notification of data breaches to the individuals affected.
Incidentally, I found the Ruiz case via the excellent blog maintained by InfoSecCompliance LLC, a US firm specialising in privacy, information law and data security. David Navetta is their founding member.
April 20th, 2009 by Anya Proops
On 17 April 2009, the Home Office launched a consultation on plans to stop investigatory powers being used under the Regulation of Investigatory Powers Act (RIPA) for trivial purposes. It seeks views on questions including: which public authorities should be able to authorise key investigatory techniques, for example, the use of communications data or covert surveillance in public places under RIPA; the purposes for which these investigatory techniques should be used; the option of raising the rank of the local authority employee authorising the use of investigatory techniques to senior executive; and whether elected councillors should play a role in the authorisation. The consultation follows on from a spate of public outcrys about the use of surveillance powers by public authorities, including not least the use of covert cameras by local authorities to watch how residents use their rubbish bins and the use of covert surveillance techniques to track a family which the local authority suspected may be living outside the local school catchment area. The issue of how the investigatory powers available under RIPA should be used is particularly current in view of the recent controversy over techniques used by the police to photograph protesters, many of whom it is argued are merely peaceful demonstrators.
April 17th, 2009 by Timothy Pitt-Payne QC
In the past few days there has been a lot of media coverage about online behavioural advertising – see for example this article published earlier this week in the Financial Times, under the euphonious title “A deeper peeper”.
One important issue in this context (e.g. in assessing whether this form of advertising involves unfair processing of personal information under the Data Protection Act) is the extent to which individuals can opt out of having information collected about their web usage. An opt out facility is offered by this site, which is maintained by a number of online advertising companies (including Google).
If you want to see whether Google is collecting information about your advertising preferences, or if you want to change that information, then you can do so here.
There’s an important general point here. Privacy will in future depend increasingly on two things. One is the development of tools to enable individuals to protect their privacy. The other is the willingness of individuals to find out about those tools and to use them. The Information Commissioner issued a report on this subject – entitled “Privacy by design” – in November 2008.
The other side of the coin, as far as behavioural advertising is concerned, is that some individuals will actually welcome the prospect of receiving advertisements that are targeted to their individual interests. For instance, a number of Amazon users are happy to see book recommendations that reflect their previous use of the Amazon site.
April 16th, 2009 by Anya Proops
The European Commission has announced that it is mounting a legal challenge in respect of the use of targeted online advertising in the UK. The challenge follows complaints which were made to the Commission in response to BT’s act of testing the technology on BT broadband users without their consent. The technology, which is the brainchild of a company called Phorm, enables internet service providers (ISPs) to profile what sites internet users visit so as to enable advertising companies more astutely to target their adverts on individual users. The Commission has taken the view that the UK has breached EU data protection laws by permitting the deployment of the technology in the absence of user consent. The Information Commissioner’s Office has previously stated that the use of the technology would be permissible if operated on the basis that users have opted in to the system. The Commission’s challenge raises real questions as to the legality of Google’s recently launched behavioural targeting system. See further my post on this system below.
April 14th, 2009 by Timothy Pitt-Payne QC
The overlap between FOIA and the DPA gives rise to a number of difficult problems.
In a paper just posted on 11KBW’s website (and originally delivered to a JUSTICE/Sweet & Maxwell conference in December 2008) I discuss some of these issues. In particular, I deal with the practical problems that arise when an individual makes a request for information to a public authority and some (but not all) of the information constitutes his own personal data. Because the request falls under both the DPA and FOIA, the Information Commissioner will need to deal with any complaint under two different legal regimes; if the requester subsequently appeals, the Information Tribunal will not have jurisdiction to deal with all the issues raised by the request. The article suggests that the present position is unsatisfactory and discusses options for reform.
April 13th, 2009 by Anya Proops
The launch of Google’s Streetview service in March 2009 sparked considerable debate within the British media. Privacy campaigners criticised the intrusive nature of the service, which enables internet users to access 360 degree views of people, homes, cars and streets in 25 of Britain’s cities. It would appear that the Information Commissioner has now had his say on the matter. According to an article published in yesterday’s Observer newspaper, the Information Commissioner rejected a complaint brought by Privacy International which challenged the legality of the service. Notably, the Observer reports that the Commissioner dismissed the suggestion put forward by Privacy International that consent should have been sought from individuals whose image was captured in the pictures shown by Streetview. He apparently compared the Streetview service with images of individuals broadcast during televised football matches, where similarly consent would not be sought. Of course, Streetview is not the only part of Google’s operations which have given rise to privacy concerns. Not least in recent weeks, concerns have been raised about another Google innovation, which enables advertisers to target adverts on individual Google users by relying on site-visit profiles developed by Google. The so-called behavioural targeting system enables Google to build up a profile of the internet sites visited by a particular user when using the Google search engine. The profile is then used as a basis for indicating what advertising the user may be interested in. Concerns expressed about the new system have included that individuals are not asked whether they wish to receive targeted advertising and, further, that the right to opt out of the system is not adequately advertised to users.
Guardian article on Streetview:
Channel 4 report on Behavioural Targetting System
April 9th, 2009 by Timothy Pitt-Payne QC
It’s a good time for a conference about information sharing. The data sharing provisions in the Coroners and Justice Bill have been withdrawn, in the face of widespread criticism – including from the Bar Council (for more background, see our previous posts here and here). The question whether anything will be done to implement last year’s Thomas/Wolpert review remains an open one.
Against this background, Northumbria University’s conference on 17th April is topical. Speakers include Richard Thomas (coming to the end of his term as Information Commissioner), Marcus Turle from Field Fisher Waterhouse, and Steve Eccleston from Sheffield City Council. I shall be delivering a paper about breach of confidence and its significance for information sharing (I will post it on the 11KBW website after the conference).