January 24th, 2011 by Robin Hopkins

Those considering the disclosure of personal data in a civil service context will wish to pay close attention to last week’s decision in Dun v IC and National Audit Office (EA/2010/0060). This is the latest Tribunal exercise in forensic scrutiny of fairness under the “personal information” exemption at section 40 (applied in tandem with the first data protection principle under the DPA).

The disputed information concerned the NAO’s enquiry into the Foreign & Commonwealth Office’s handling of employee grievances of a whistleblowing variety, i.e. those in which the employee had raised concerns as to “the proper conduct of public interest, fraud, value for money and corruption in relation to the provision of centrally-funded public services”. The request for information was triggered by the FCO’s inadvertent publication on its intranet of a “track changes” version of the draft report sent to it by the NAO: this tended to suggest that the FCO had sought not only to correct points of fact in that draft report, but also to influence its conclusions.

Unfairness of grievance and investigation information was pleaded based largely on the expectations of the complainants that their personal data would not be disclosed, and on the distress of their potentially being perceived as “trouble makers”.

A number of categories of arguably personal data were examined: junior civil servants’ names (outcome: don’t disclose), junior civil servants’ roles or job titles (outcome: disclose), contact details (outcome: don’t disclose, except for that part of an email address containing the name of a person whose name was otherwise to be disclosed), details of complaints and criticisms of employees (outcome: disclose in sufficiently redacted form).

The issue of redaction turned on whether disclosure in redacted form would preserve anonymity or achieve fairness – the NAO and IC had said no, but the Tribunal disagreed. It found that disclosure of whistleblowing case information in redacted form would be fair where (i) only those involved would be able to identify the persons being referred to, and (ii) those involved would not learn anything from the disclosed material which they did not know already.

This case is another instance of the established position that disclosure of the names of senior civil servants (here Grade 5 or above) will generally be fair, whereas those of their more junior colleagues would not. A note of caution here, however: the Tribunal was clear that no blanket policy should apply, and that fairness depends on the particular responsibilities and information with which the case is concerned.

One interesting aside: what of a civil servant who was junior at the time the information was created, but has since been promoted? Generally, subsequent events should not make a difference, but not necessarily: the Tribunal observed that it could “envisage a scenario where it is fair to disclose an earlier document in order to refute protestations of ignorance from the same individual who later becomes more senior and accountable”.


January 13th, 2011 by Timothy Pitt-Payne QC

The system of CRB checks (established under Part V of the Police Act 1997) is currently under review:  for the review’s terms of reference, see here.   At present, where an enhanced CRB check is carried out it is for the police to decide whether there is any non-conviction information that ought to be included in the enhanced CRB certificate:  for instance, information about acquittals, or about allegations that have never been tested at a criminal trial.  The legal principles governing this exercise – in particular, the relevance of Article 8 of the Convention – were extensively discussed by the Supreme Court in R (L) v Commissioner of Police of the Metropolis [2009] UKSC 3.

The recent decision of the Court of Appeal in Desmond v Chief Constable of Nottinghamshire Police [2011] EWCA Civ 3 raises a different issue:  for the purposes of the law of negligence, do the police owe a duty of care to the individual who is the subject of the certificate?  The Court of Appeal holds that they do not.

In Desmond, the claimant’s case (put very shortly) was that adverse information about him had been included in an enhanced CRB check; that the information disclosed was misleading; and that the decision to disclose could not be justified on the basis of the material available to the police, and had been reached without making proper enquiries.  He brought a claim against  the relevant Chief Constable, alleging (inter alia) breach of Article 8, breach of the Data Protection Act 1998, and negligence.

The claim in negligence was struck out, but this decision was partly reversed on appeal by Wyn Williams J, whose judgment is at [2009] EWHC 2362 (QB).  On further appeal, the Court of Appeal restored the original decision to strike out the negligence claim in full.  There was no proper basis for concluding that the chief officer was to be taken to have assumed responsibility to Mr. Desmond; the structure and purpose of the relevant legislation strongly suggested that there should be no duty of care; there was no case which persuaded the Court of Appeal, by analogy, that a duty of care should be imposed; and the existence of various other remedies that Mr. Desmond could pursue also supported the conclusion that no duty of care was owed. 

The Court of Appeal also states that Article 8 of the Convention is likely to be applicable in every case where non-conviction information is disclosed as part of an enhanced CRB certificate, and that a breach of Article 8 would give rise to a potential damages claim under section 8 of the Human Rights Act 1998:  see paragraph 9 of the judgment.  It appears from the Court of Appeal’s judgment that Mr. Desmond’s Article 8 claim still continues, as does his claim under the Data Protection Act 1998. 


January 7th, 2011 by Anya Proops

Last month I blogged on a recent Tribunal decision which considered whether, following Veolia v Nottinghamshire CC [2010] EWCA 1214 (“Veolia”), human rights considerations had a role to play in FOIA/EIR  cases involving the potential disclosure of confidential commercial information – see my post on the decision in Staffordshire CC v IC & Sibelco here. This month the Tribunal has promulgated another decision on the issue: see Nottinghamshire CC v IC & Veolia & UK Coal Mining Ltd (EA/2010/0142). The Notts case was concerned with a request for disclosure of particular information contained in a waste management contract between the council and Veolia. The particular information in dispute before the Tribunal was information contained in a schedule to that contract. In essence, the schedule detailed the leasing arrangements under which the council had an option to lease certain land from UKCM. The intention was that, once the leasing option was exercised by the council, Veolia would take a sub-lease of the land and then would build and maintain an incinerator on the land for the purposes of discharging its waste management obligations under the contract.

Contrary to the position adopted by the Commissioner, the Tribunal took the view that, despite the fact that it formed part of an overarching waste management contract, the information in the schedule did not in itself amount to environmental information (i.e. as it was simply information relating to prospective commercial leasing arrangements); accordingly, disclosure of the disputed information fell to be considered under FOIA rather than EIR. The applicable FOIA exemption was the commercial interests exemption (s. 43).

The Tribunal went on in its decision to comment on the application of human rights principles to the appeal, those principles having been considered by the Court of Appeal in the Veolia case. In essence, the Tribunal appears to have held that: (a) following Veolia, valuable commercial information could constitute a ‘possession’ of UKCM under Article 1 of Protocol 1 ECHR; (b) that, if the disputed information amounted to a ‘possession’, then UKMC had a right to privacy in respect of that information under Article 8(1) ECHR and, accordingly (c) disclosure under FOIA of that information would only be lawful if it was justified for the purposes of Article 8(2) ECHR. However, having reached these conclusions, the Tribunal appears to have taken the view that in fact these human rights considerations did not add very much to the overall analysis under FOIA, particularly as the requirements of the Article 8(2) justification test were already effectively reflected in the public interest balancing exercise which was built into s. 2 FOIA (see para. 74 of the decision).

It remains to be seen whether those with an interest in avoiding disclosure of commercially sensitive information will seek to argue in other cases before the tribunal that human rights considerations do in fact alter the analysis of the public interest balance under FOIA and, in particular, that they increase the weight in favour of maintaining the s. 43 exemption.


January 7th, 2011 by Anya Proops

The Ministry of Justice has today unveiled plans to extend the scope of FOIA, including plans to expand the number and type of bodies which are subject to FOIA. New authorities falling within the ambit of FOIA will include the Association of Chief Police Officers, the Financial Services Ombudsman, UCAS and all companies wholly owned by more than one public authority. The MOJ also intends to consult on bringing a range of further bodies which are believed to perform public functions within the scope of FOIA, including for example: Examination Boards, Harbour Authorities, the Local Government Association and NHS Federation. The Bar Council and the Law Society are also apparently identified as possible candidates for inclusion. There are also plans to make most public records available at the National Archives after 20 years (rather than the current arrangements where access is not permitted until after 30 years). The Justice Minister Lord McNally has confirmed that the Government intends to carry out a ‘full review of the FOI Act to ensure it is still operating in the most effective way’. In practical terms, it is intended that inclusion of new authorities such as ACPO and the FS Ombudsman to FOIA will be achieved via a Freedom Bill to be introduced by February 2011. See further the MOJ’s Press Release here.


January 7th, 2011 by Robin Hopkins

This morning’s speech by Nick Clegg on civil liberties had much to say about FOIA and access to information more broadly.

The Deputy Prime Minister said that the progress in transparency brought about by the introduction of FOIA has stalled: FOIA, he said “was a good start, but it was only a start. Exceptions remain far too common. And the available information is too often placed behind tedious bureaucratic hurdles.”

He hailed the Treasury’s COINS database, which details public services expenditure, the work of The Open Knowledge Foundation in processing that data for ready public consumption, and the Cabinet Office’s new transparency rules concerning the publication of spending figures by Whitehall departments (the Cabinet Office’s website explains its work on transparency).

He advertised the government’s plans for a Public Data Corporation, which will “bring existing government bodies together into one organisation, responsible for disseminating a wealth of data” (on which, see The Guardian‘s article here).

FOIA’s scope is to be extended “to cover potentially hundreds more bodies; including UCAS, the Association of Chief Police Officers, the Financial Ombudsman Service and many more”. A complete list has yet to be announced. The government does not, it appears, intend to make bodies such as water utility companies or Network Rail subject to FOIA.

Nor, it appears, will the Secretary of State’s right of veto over Tribunal decisions be repealed.

The 30-year rule is being scaled back to a 20-year rule.

Finally, the Justice Select Committee is to be tasked with “post-legislative scrutiny” (although it is not entirely clear to what legislation this task will apply) of how FOIA is being implemented.

Data protection crept in via Mr Clegg’s recognition that government “must be very respectful in handling personal information”. The EIR did not get a mention in the speech.

The full text of Mr Clegg’s speech is available here.


January 7th, 2011 by Robin Hopkins

Elmbridge Borough Council v IC (Additional Party: Gladedale Group Limited) (EA/2010/0106) is the latest Tribunal decision concerning requests for information about planning applications (see my posts on other such cases here and here, and Anya’s post on an earlier important planning case here). In particular, the disputed information here comprised a viability report containing details on costs, revenues, values and finances of a development in the vicinity of Hampton Court. The Council pleaded commercial confidentiality and sought to rely on regulations 12(5)(e) and 12(5)(f) EIR. The Commissioner found that these exemptions were not engaged. The Tribunal agreed, and ordered disclosure.

In so doing, the Tribunal confirmed that the confidentiality of this information must be objectively required at the time of the request (rather than, for example, when the information was created or passed to the Council) in order to protect a relevant interest. The Tribunal also confirmed that it is not enough that some harm might be caused by disclosure, but that it is necessary to establish (on the balance of probabilities) that some harm to the economic interest would be caused by disclosure.

A crucial feature of this case was the lack of evidence offered to demonstrate commercial confidentiality or prejudice. The Tribunal observed that:

“Throughout the investigation and consideration of the issues leading to the Decision, the Respondent consistently and repeatedly sought evidence from the Appellant to support their contention that the subject information was commercially sensitive or that its release would be prejudicial to the third parties concerned. It is noted by this Tribunal that the information made available to the respondent amounts to assertions and speculation by the interested parties. There is a notable absence of independent or objective evidence to support the assertions or speculation put before the Respondent.” 


January 5th, 2011 by Robin Hopkins

The Scottish Government has published its guidance document on Identity Management and Privacy Principles. The guidance is aimed at both public sector policy makers and with those involved in devising or operating systems for proving or recording identity. Key principles include:

  • For services which are used frequently and for which identification is needed, users should be required to register only once. Thereafter, unless there is a statutory requirement to prove identity, a person should generally be able to access the service by authenticating themselves using a token (such as a bus pass or library card) that proves their entitlement without revealing personal information. In other circumstances, a user name and a password may be required.
  • A Privacy Impact Assessment (PIA) or proportionate equivalent should be conducted and published prior to the implementation of a project which involves the collection of personal information.
  • Where a public body has a contract with the private sector or the third sector, the contractor must be contractually bound to adhere to best practice as outlined in the guidance.
  • The creation of centralised databases of personal information is to be avoided.
  • If a public service organisation needs to link personal information from different systems and databases (internally or between organisations), it should avoid sharing persistent identifiers. Instead, other mechanisms – such as matching – should be considered.


January 5th, 2011 by Robin Hopkins

The Administrative Court’s (as yet unreported) judgment in R (on the application of N) v a Local Authority in December 2010 saw the quashing of a decision to withdraw a licence to be in contact with children. The case concerned the familiar public law principles of judicial review and human rights, but from an information law perspective, the point of interests is this: in reaching its decision to withdraw the individual’s licence, the local authority compiled information on that individual, including the allegations made against him (namely, that he was a paedophile with a history of sexual offences) as well as its meetings with the individual. Ockleton J not only overturned the local authority’s decision, but also directed it to keep a copy of the judgment with its records relating to the matter, so that its records on this individual were full and accurate. Otherwise, he ruled, the local authority’s file on this individual was potentially misleading to anyone subsequently accessing it.


January 5th, 2011 by Robin Hopkins

In Football Dataco & Others v Yahoo! UK Ltd & Others, the Court of Appeal has referred to the ECJ questions on the interpretation of Directive 96/9 on the Legal Protection of Databases. Its principle question was: what is meant by “databases which, by reason of the selection or arrangement of their contents constitute the author’s own intellectual creation”?

The databases in question comprised football fixture lists in the English and Scottish leagues. The defendant used these without paying the claimant (an organiser of football fixtures). The claimant contended that, by arrangement of its contents, the fixture list became its “own intellectual creation”, thereby attracting the Directive’s protection. The defendant’s stance was that these lists did not attract such protection, because they were merely the fruits of “sweat of the brow” – in other words, compilation, but not creation.

The Court of Appeal observed that the ECJ’s answers to its questions had wide implications for the legal protection not only of sports fixture lists, but possibly also of TV listings, which required comparable energy and skill to compile.

Clear and Present Danger?

January 4th, 2011 by jamesgoudie

A Bill has recently been introduced in both Houses of the US Congress, in response to the Wikileaks disclosures, to amend the US Espionage Act 1917 to make it a criminal offence for any person knowingly and wilfully to disseminate, “in any manner prejudicial to the safety or interest of the United States”, any classified information “concerning the human intelligence activities of the United States”.  This proposal would appear to be constitutional with respect to US Government employees who leak such material to those who are unauthorised to receive it.  But what about the constitutionality of criminalising anyone who publishes the information after it has been leaked, especially given that the proposed new offence is not, at any rate expressly, limited to situations in which the spread of the classified information poses a “clear and present danger” of grave national harm?

The “clear and present danger” standard has been the governing principle under the First Amendment to the US Constitution since Supreme Court Justice Oliver Wendell Holmes Opinion in Schenk v United States in 1919.  The principle was stated by Supreme Court Justice Louis D. Brandeis in Whitney v California in 1927.  The founding fathers of the US “did not exalt order at the cost of liberty”, wrote Brandeis.  On the contrary, they understood that “only an emergency can justify repression.  Such must be the rule if authority is to be reconciled with freedom.  Such … is the command of the Constitution.  It is, therefore, always open to Americans to challenge a law abridging free speech and assembly by showing that there was no emergency justifying it”.

Writing in the New York Times on 3 January 2011, Geoffrey R. Stone, Professor of Law at the University of Chicago, and Chairman of the Board of the American Constitution Society, explains that the First Amendment does not compel Government transparency.  It leaves the Government autonomy to protect its own secrets.  It does not accord anyone the right to have the Government disclose information about its actions or policies.  It cedes to the Government authority to restrict the speech of its own employees.  What it does not do, however, is allow the Government to suppress the free speech of others when it has failed to keep its own secrets.

Professor Stone gives a number of reasons why it is right to give the Government limited scope for penalising the circulation of unlawfully leaked information.

First, the mere fact that such information might “prejudice the interests of the United States” does not mean that that harm outweighs the benefit of publication. In many circumstances, it may be extremely valuable to public understanding. Consider, for example, classified information about the absence of weapons of mass destruction in Iraq. Second, the reasons that Government officials want secrecy are many and varied. They range from the compelling to the illegitimate. It is tempting for Government officials to overstate the need for secrecy, especially in times of national anxiety.  Third, a central principle of the First Amendment is that the suppression of free speech must be the Government’s last rather than its first resort in addressing a problem. The most obvious way for the Government to prevent the danger posed by the circulation of classified material is by ensuring that information that should be kept secret is not leaked in the first place. The Supreme Court in Bartnicki v Vopper in 2001 held that when an individual receives information “from a source who obtained it unlawfully,” that individual may not be punished for publicly disseminating the information “absent a need … of the highest order”. The Supreme Court explained that if the sanctions now attached to the underlying criminal act do not provide sufficient deterrence, then perhaps they should be made more severe,  but that “it would be quite remarkable to hold” that an individual can constitutionally be punished merely for publishing information because the Government failed to “deter conduct by a non-law-abiding third party”.  Professor Stone concludes that if  the Government is granted too much power to punish those who disseminate information, then one risks too great a sacrifice of public deliberation; if, on the other hand, the Government is granted too little power to control confidentiality at the source, then  one risks too great a sacrifice of secrecy. The answer is to reconcile the values of secrecy and accountability by guaranteeing both a strong authority for the Government to prohibit leaks and an expansive right for others to disseminate information to the public.

James Goudie QC