Demystifying Data Protection

November 27th, 2009 by Timothy Pitt-Payne QC

The Information Commissioner’s Office has just launched a Guide to Data Protection, available on the ICO website.  At the heart of the guidance is a detailed commentary on each of the Data Protection Principles, and on the conditions for processing set out in Schedule 2 and 3 of the Act.

The Data Protection Act 1998 is, notoriously, not user-friendly.  One of the problems is that so much of its central content is tucked away in the Schedules: for instance, you have to get as far as Schedule 7, paragraph 10 before you find out that there is an exemption to the right of subject access where information is protected by legal professional privilege.   So assistance in navigating the legislation is very welcome.

On a first glance, the ICO Guide looks as if it will be of real help – clearly written, comprehensive, but not unduly lengthy.  It will also be useful to those wanting to know how the ICO itself might interpret and enforce the Act.

Section 36 FOIA – Use it or Lose it

November 24th, 2009 by Anya Proops

The question of whether public authorities can rely on exemptions which have been claimed for the first time before the Commissioner or the Information Tribunal is a notoriously controversial one (see further e.g. Home Office & Ministry of Justice v IC where the Home Office sought to argue, against existing Information Tribunal orthodoxy, that a public authority could rely on an exemption no matter how late in the process – see further my earlier post on this judgment). The issue of late reliance is however particularly acute in respect of s. 36 FOIA (exemption where disclosure would be likely to prejudice the effective conduct of public affairs). S. 36 provides for a rather unusual exemption in that, in contrast with other exemptions under FOIA, the exemption is only engaged where a relevant opinion has been reached by the ‘qualified person’. The fact that the exemption under s. 36 will only be engaged in circumstances where a particular event takes place (i.e. the relevant opinion has been reached), a question arises as to whether that event must take place prior to the request being responded to (i.e. via the refusal notice) in order for s. 36 to be engaged. This issue has recently been considered by the Tribunal in the case of Roberts v IC & DBIS (EA/2009/0035), 20 November 2009. In that case, the Tribunal held that because information could only be withheld if it was exempt at the time of the request (or more precisely at the time the request was being responded to), it followed that an opinion which was reached after the refusal notice was sent out could not constitute a valid opinion for the purposes of s. 36. The restrictive approach to s. 36 adopted in Roberts is likely to be regarded as a controversial decision and may well be appealed. In the meantime, public authorities should probably err on the side of caution and aim to ensure that, wherever possible, any s. 36 opinion is obtained prior to the release of the refusal notice. It is in any event worth noting that, in the earlier case of Student Loans Company v IC, the Tribunal held that it did not have powers under s. 58 FOIA to consider the application of s. 36 because: (a) no reliance had been placed on that section before the Commissioner and (b) the Tribunal only had powers to decide whether the Commissioner’s decision was lawful (i.e. having regard to the case which was put before the Commissioner).

DNA Database – A Controversial Behemoth

November 24th, 2009 by Anya Proops

The police DNA database for England and Wales is currently the largest DNA database in the world. It has in excess of 5 million profiles, including the profiles of many individuals who have been found to be innocent of any charges made against them. The rapid development of this vast database has inevitably fuelled debates about the rise of the Surveillance ‘Big Brother’ State. Most notably, concerns have been expressed that the database unjustifiably interferes with the individual’s right to privacy, particularly having regard to the retention of records relating to people who have not been convicted of any offence (there are at least 850,000 profiles of such persons on the DNA Database). Earlier this year, these concerns resulted in a judgment by the European Court of Human Rights that the existing approach to the retention of DNA data relating to unconvicted individuals was unlawful (Marper v UK see also my earlier post on the Marper case). Concerns have also been expressed as to the disproportionate presence of individuals from ethnic minorities on the database, particularly young black men, and as to the resulting discriminatory potential which is effectively built into the system.

Two recent important developments suggest that the controversies surrounding the database are only likely to intensify in the coming months. First, the government has opted to use the Queen’s Speech to lay before Parliament a bill which contains a number of inevitably controversial provisions relating to the database (the Crime and Security Bill). Second, a government backed commission, the Human Genetics Commission (HGC) has today issued a report entitled Nothing to Hide, Nothing to Fear?’ which criticises a number of aspects of the existing database system.

The following aspects of the Bill are particularly worthy of note:

·         The Bill contains provisions aimed at giving the police additional powers to take DNA samples from individuals who have been previously arrested for crimes but whose biometric has yet to be obtained. The effect of the provisions is that the police will be entitled to take biometric data from someone who may have been arrested some time ago and before the new provisions came into force (clause 2(1)). The provisions also afford the police new powers to take DNA samples from UK nationals or residents who have been convicted overseas of serious sexual and violent offences (clause 3(1)). These powers would equally apply to convictions occurring prior to the coming into force of the new provisions.


·         The bill also sets out a statutory framework for the retention and destruction of biometric material (including DNA samples, DNA profiles and fingerprints) that has been taken from an individual as part of the investigation of a recordable offence (clause 14). These powers were consulted upon in the Keeping the Right People on the DNA Database paper published in May 2009. In effect, the provisions envisage a somewhat more nuanced approach to the retention of data with retention periods for the various categories of data depending on a number of factors including the age of the individual concerned, the seriousness of the offence or alleged offence, whether the individual has been convicted, and if so whether it is a first conviction. Most notably:


o   the fingerprints and DNA of adults who are arrested but unconvicted will prima facie be retained for a period of 6 years


o   the fingerprints and DNA of adults who are convicted will be retained indefinitely


o   lesser retention periods apply to persons under the ages of 18 and 16 and, in respect of such minors the gravity of the offence will be in issue


o   chief constables are however afforded a power to determine that any retention period may be extended by up to two years for reasons of national security


o   all DNA samples must be destroyed six months after being taken.


·         The Secretary of State will be afforded powers to make a statutory instrument prescribing the manner, timing and other procedures in respect of destroying relevant biometric material already in existence at the point the legislation comes into force. This will enable the Secretary of State to ensure that the retention and destruction regime set out in this Bill is applied to existing material (clause 19).


·         The National DNA Strategy Board which already exists to oversee the operation of the database will be put on a statutory footing (clause 20).

It remains uncertain whether any of these provisions will make it onto the statute books in advance of the forthcoming general election. However, it must be said that the growth in police powers which would be afforded under the Bill does not sit particularly comfortably with the serious concerns as to the existing system identified in the report from the HGC. Those concerns include, not least, concerns about the disproportionate representation of members of ethnic minorities; the retention of data relating to unconvicted persons for any period of time and, further, the problems of function creep.

Blacklisting again

November 23rd, 2009 by Timothy Pitt-Payne QC

Our earlier post about the blacklisting story in the Guardian continues to attract attention.

The article was by freelance journalist Phil Chamberlain; and his blog here gives a lot background information – including a photograph of the notorious database .  Phil has been following the story for about 18 months.

This I can do at home

November 23rd, 2009 by Timothy Pitt-Payne QC

The last Queen’s speech before the election includes another proposal for databases about children; this time, in relation to children who are being home educated.

The background is that in January 2009 the Department for Children, Schools and Families (DCSF) commissioned Graham Badman to carry out a review of the current system for supporting and monitoring home education. The report (available here) was published in June 2009. Its first recommendation was that the DCSF should establish a national registration scheme, locally administered, for all children of statutory school age who are, or become, home educated.

On 11th June the Government launched a consultation about registration and monitoring proposals for home education. Unfortunately I cannot link to the consultation document itself, as it is currently unavailable on the DCSF website. The key proposals in the consultation document were these.

2.1 Register of home educated children
The review recommends that DCSF establishes a national registration scheme, locally administered, for all children of statutory school age who are, or become, electively home educated. The scheme described in the review is one where education and safeguarding issues are both considered as part of the registration process, with an initial statement of educational intent forming the basis for subsequent educational monitoring arrangements. The review response acknowledges that ultimately the scheme would need to be underpinned by guidance and training for local authority staff in order to work effectively. We accept that it will take time to put the full scheme in place particularly where more work is needed to provide more comprehensive guidance on the practical interpretation of ‘efficient’ and ‘suitable’.
2.2 Registration would be granted automatically unless there were safeguarding concerns (see next section): if at any time a LA became dissatisfied with the quality of home education provided to a child, it would – as now – serve a school attendance order.
2.3 We propose to legislate now for registration and monitoring arrangements that will focus on safeguarding but should also improve the quality of education. They will have the following features:
• Every home educated child of compulsory school age must be registered with the local authority in which the child is resident;
• Regulations will specify the information that parents must provide which is likely to be child’s name, date of birth, address, the same information for adults with parental responsibility; a statement of approach to education, and the location where education is conducted if not the home;
• Scope to extend the scheme to 18 in future;
• Regulations will specify how registration should take place;
• Any changes to registration details should be notified immediately;
• Registration must be renewed annually;
• It will be a criminal offence to fail to register or to provide inadequate or false information;
• Pupils should stay on the school roll for 20 days after a notification to home educate;
• The school must provide the local authority with a record of achievement to date and predicted future attainment;
• DCSF will take powers to issue statutory guidance relating to registration and monitoring.
2.4 Safeguarding
The review recommends that local authorities should have a discretion to refuse registration where there are safeguarding concerns. In addition, if safeguarding concerns are identified after home education has begun, the LA would have powers to revoke registration. Each case would need to be considered on its merits, balancing the rights of parents to home educate, and the rights of children to receive a suitable education in a safe environment.
2.5 Monitoring arrangements
Local authorities tell us that they need greater powers to ensure that home educated children are safe, well, and receiving a suitable education. The current arrangements allow parents to submit evidence that a ‘suitable education’ is being provided, which could be mainly written evidence. Local authorities have no powers to interview home educated children to establish that sample material provided is representative of their work, nor to establish that they are safe and well.
2.6 We believe that local authorities should interview children within 4 weeks of home education starting, after 6 months has elapsed, and thereafter at least annually to assess the quality of education provided and ensure that children are safe and well. The local authority should visit the premises where education is conducted, and question the child about the education provided, although at least 2 weeks notice should be given before the visit is conducted. The local authority should have the right to carry out the interview without a parent being present, if this is judged appropriate, or alternatively if the child is vulnerable or has particular communication needs, in the company of a trusted person who is not the home educator or parent/carer.

The consultation closed on 19th October, and as yet there has been no Government response to it.  The Queen’s Speech  nevertheless includes a proposal for a Children, Schools and Families Bill, one element of which is to be a new home educators’ registration system. For the full text of the proposed Bill, see here.  The provisions about home education are in Schedule 1 to the Bill, and consist of proposed amendments to the Education Act 1996.   New section 19A(1) of the 1996 Act will require each local authority to maintain a register of home-educated children. Regulations will make provision for how parents can apply to have their children included in the register. The local authority must refuse registration if they consider that it would be harmful to child’s welfare for the child to become, or remain, a home-educated child. It seems that if registration is refused, and the child is not sent to school, then the likely consequence will be a school attendance order: see the proposed amendments to section 437 of the 1996 Act. Under new section 19H of the 1996 Act, regulations can be made requiring other local authorities, and schools, to share information with a local authority for the purposes of that authority’s home education functions.


There are four points to make about this. One is that the proposed registers are, in substance, a mechanism for parents to seek advance permission from their local authority before home schooling their children. Failure to register will not in itself be a criminal offence, but may lead to a school attendance order; and failure to comply with that order may be a criminal offence. Secondly, exactly what information is to be included in each register is unclear, and will be set out in regulations; but it may well be that the registers will include information about each child’s prospective home education, as well as basic personal details such as name and address. Thirdly, it is unclear as yet who will have access to these registers, and for what purpose.  And fourthly, there are to be specific information-sharing provisions in connection with home education.


Panopticon Feedback

November 23rd, 2009 by Timothy Pitt-Payne QC

One of our readers raised a question arising out of the previous post on employment blacklists. 

According to this report on the BBC website, Steve Acheson (who was on the blacklist) was the subject of an unsuccessful attempt by his former employer to obtain an injunction to prevent him from protesting against his dismissal.  Apparently the application was made under anti-terrorism legislation.  Our reader asks if we can throw any light on the legal basis for the application.

Unfortunately the answer is no; it appears that there is no report of the case online in any of the usual places.  The best I can find is this item from the website of Mr. Acheson’s solicitors.

We haven’t enabled the comments function on the blog.  But you are very welcome to send any feedback to  We are always delighted to see that people are reading and responding.

Banned Aid

November 21st, 2009 by Timothy Pitt-Payne QC

In March this year the Information Commissioner took enforcement action against the Consulting Association, which had been operating a secret blacklist of employees in the construction industry, including details of trade union activity. We posted about this story here, earlier this year.

Today, the Guardian has extensive coverage of what has happened since.

The Department for Business, Enterprise and Regulatory Reform has now consulted on draft regulations under section 3 of the Employment Relations Act 1999. The consultation ended on 18th August 2009. The proposed regulations are intended to outlaw the compilation, dissemination and use of blacklists of trade unionists. They would make it unlawful to refuse employment, or to dismiss employees or subject them to a detriment, for reasons related to a prohibited blacklist. Individuals who suffer loss through blacklisting would be able to bring claims either in the Employment Tribunal or in the civil courts, depending on the nature of their complaint.

The trade union UCATT commissioned a report from the Institute of Employment Rights about the proposed regulations. The report, by Professor Keith Ewing, was published on 15th September 2009: it is entitled “Ruined Lives”, and deals specifically with blacklisting in the construction industry. It includes sample material from Consulting Association files.  The report gives a fascinating history of the practice of blacklisting, going back to the late 19th century. It suggests a number of changes to the draft Regulations, including: that keeping or using a blacklist, or supplying information to it, should be a criminal offence; and that there should be a right to compensation for the fact of being included on a blacklist, even if the inclusion does not lead to any loss.

A further point to note about the draft Regulations is that they deal specifically with the blacklisting of trade unionists (as does section 3 of the 1999 Act). So they would not assist individuals who had been blacklisted for other reasons; e.g. because of their political beliefs and affiliations, or because they have a history of raising concerns about health and safety issues.

A number of individuals have brought employment tribunal claims arising out of alleged blacklisting. The claims have been consolidated and there will be a case management discussion in Manchester ET on 24th November 2009. This blog gives further information.

Meanwhile the Information Commissioner’s Office (ICO) has taken control of the Consulting Association database. Individuals who think that they may have been blacklisted can contact the ICO; for more information, see this page of the ICO’s website.

Using Special Advocates in Civil Litigation

November 19th, 2009 by Anya Proops

Yesterday, the High Court handed down a controversial judgment on the use of ‘the closed material procedure’ (CMP) in civil litigation: Al-Rawi & Ors v The Security Service & Ors (judge – Silber J). The background to the judgment is that a number of individuals who had been detained at Guantanamo Bay had brought claims for damages against the defendants on the basis that they had caused or contributed to the claimants’ unlawful detention and ill-treatment by foreign governments. A preliminary issue then arose in these cases as to whether the defendants could put evidence before the court using the CMP. The CMP, in effect, allows defendants to put documents in evidence before the court whilst at the same time withholding them from the claimants. The only way in which the claimants have any say on the closed material is through the use of special advocates appointed to act on their behalf. However, the role of special advocates is heavily circumscribed, not least because they cannot convey to their clients the content of the closed material.


The CMP has formerly been used in the context of deportation appeals heard by the Special Immigration Appeals Commission (SIAC). However, the CMP has not previously been a feature of civil litigation. Instead, in the context of civil litigation, if the government was concerned that the disclosure of particular information would be contrary to the public interest, the best it could hope for was to rely on the public interest immunity (PII) procedure. The crucial difference between the PII procedure and the CMP is that the former procedure operates so as to ensure that the PII material is not put before the court at all, whereas the latter procedure allows the government to put the closed material before the judge whilst at the same time not disclosing that material to the other side. Thus, there is an inherent asymmetry present in the CMP which is not present in the PII procedure.


In a controversial judgment, Silber J decided as a preliminary issue that use of the CMP was permissible in a civil claim for damages, albeit only in exceptional cases. In reaching this conclusion, Silber J rejected arguments that the High Court had no jurisdiction to permit the use of the CMP; that use of the CMP was inconsistent with the requirements of the CPR and that it was otherwise at odds with the established PII procedure. It is highly likely that this judgment will go on appeal. 11KBW’s Karen Steyn acted on behalf of the defendants.

Home Office publishes response to its consultation on communications data

November 16th, 2009 by Robin Hopkins

The Home Office has published a summary of responses to its April 2009 consultation paper on ‘communications data’, i.e. information about a communication that does not include the content of the communication itself. At present, such data is owned by communications service providers and accessed by certain public authorities under disparate statutory powers for the purposes of combating, for example, fraud, terrorism and other serious crime. The government is considering an overhaul so as to bring all communication types (such as web chat) and all relevant service providers (some of whose contractual positions place them beyond the current statutory arrangements) within the system.


The attendant tension between individual liberty and public protection is reflected in the 221 responses to this consultation.


A substantial minority of respondents objected in principle to any ‘surveillance’ of communications. A majority (albeit a fairly narrow one) agreed that communications data served an important public purpose and that the government should therefore act to maintain the capability of public authorities to make use of this type of information.


As to what form this action should take, only one element of the government’s proposed approach was widely welcomed, namely its rejection of a central database for holding all data of this type. Reservations were otherwise expressed about technological feasibility, data security and the proportionality of public authorities’ use of communications data.


Nonetheless, such reservations were not deemed forceful or widespread enough to deter the government from its proposed course. A number of respondents’ suggestions have been rejected, including the specifying of categories of data which should not be retained, and the requirement for a magistrate’s authorisation before communications data can be accessed.

The government is also satisfied that the DPA 1998 and RIPA 2000 provide sufficient safeguards against abuse of such data. A legislative review is, however, proposed, to see if a single means of authorised access (through RIPA 2000) would be practicable. Fresh or consolidating legislation appears likely.

Civil penalty notices: consultation

November 12th, 2009 by Ben Hooper

When the new monetary penalties regime under sections 55A-E of the DPA comes fully into force, the Information Commissioner will have power to impose a civil penalty on a data controller for a serious contravention of any of the data protection principles if – in essence – the contravention is (1) deliberate or reckless and (2) of a kind likely to cause substantial damage or distress.


The Ministry of Justice is currently consulting on what the maximum penalty under section 55A should be. £500,000 is proposed. Whilst this is clearly not an insubstantial sum, it needs to be compared with the fact that many other regulators have power to impose a penalty of up to 10% of an organisation’s turnover. If the data controller at issue has a turnover that is significantly above £5m, and – for example – a serious contravention has caused damage or distress to a very large number of people, the maximum penalty of £500,000 may begin to look a little on the small side. Indeed, the Commissioner may not even be able to go that far: the ICO’s draft guidance on the monetary penalty powers indicates at paragraph 7.4 that swift payment of the penalty will lead to a 20% reduction. So a data controller that decides not to contest the penalty may end up only paying a maximum of £400,000.


One final point. The penalties are to be paid into the consolidated fund (section 55A(8)). Thus, where the data controller is a central government body, the imposition of any size of penalty will have a slightly unreal quality to it, as the sum involved will simply return to the financial pot from which the body in question drew its funding in the first place.