Cloud computing – new ICO guidance

September 27th, 2012 by Anya Proops

Cloud computing is becoming an ever more pervasive feature of the technological world. Whether one is dabbling in social networking or purchasing goods online, the truth is that we all, to a greater or lesser extent, now have our heads in the virtual clouds. However, the use of cloud computing inevitably raises important information law issues, particularly in terms of the impact on privacy rights and also under the Data Protection Act 1998. So far as the DPA is concerned, issues which fall to be considered include:

  • who actually controls the data which is being processed via the cloud (i.e. who is liable under the DPA if things go wrong in data protection terms)

 

  • what steps a data controller may be required to take to safeguard against misuses of personal data within the cloud

 

  • the security implications of processing personal data through cloud computing and, in particular, whether the processing of data via the cloud is compliant with the seventh data protection principle

 

  • the legality of using clouds which operate transnationally and, hence, which may bring into play the application of the eighth data protection principle on cross-border data transfers

Importantly, the Information Commissioner has today issued guidance which is designed to help organisations navigate their way through the potentially complex DPA issues which may arise in the context of cloud computing. You can find the guidance here.

Particular points to note about the guidance include the following:

  • the Commissioner has (unsurprisingly) confirmed that the DPA applies to any processing of personal data which takes place in the cloud

 

  • the guidance suggests that, when it comes to determining who is the ‘data controller’ in respect of data which is processed via the cloud, one should generally look to the purchaser of the particular cloud services (i.e. the cloud service customer). This is because it is typically the cloud customer who will determine the purposes for which and the manner in which the data is being processed (see further the definition of ‘data controller’ in s. 1(1) DPA). However, that is not to say that there will not be cases where the cloud provider itself has sufficient control over the data such that it can properly be designated as a ‘data controller’ under the Act

 

  • if two or more data controllers within a ‘community cloud’ intend to share data they should take time to clarify their roles and decide who is the controller in respect of which data

 

  • a data controller cannot simply assume that, because a cloud provider has a set of standard terms and conditions, those terms and conditions afford sufficient safeguards to guarantee compliance with the DPA. The data controller must itself take steps to ensure that the safeguards deployed by the particular cloud provider are fit for purpose, having regard not least to the sort of data in issue and how it is to be processed. This may well entail the data controller looking for cloud providers which can tailor their services to accommodate the data controller’s specific requirements

 

  • data controllers should ensure that they are only putting data into the cloud which actually needs to be there. Thus, data controllers should effectively ensure that they are sieving their data before putting it on the cloud and should create clear records of the sort of data they intend to move to the cloud

 

  • insofar as the particular cloud service results in the collection of meta-data about the data subject (e.g. information revealing transaction histories), data controllers should be aware that this may also constitute personal data to which the data protection principles apply

 

  • cloud customers should adopt strategies to limit the chances that the use of cloud computing will breach the data protection principles, such strategies should include:

 

  • conducting risk assessments

 

  • ensuring that appropriate written contracts are in place with the cloud provider

 

  • reviewing the quality and depth of the security arrangements offered by the cloud provider

 

  • ensuring that adequate security measures are applied to the data (e.g. via encryption, use of password access etc)

 

  • ensuring that the cloud provider has in place a suitable retention and deletion policy and querying what happens to any data on the cloud in the event that the cloud customer withdraws from the cloud

 

  • ensuring that the cloud provider’s own access to the data is suitably controlled and limited

 

  • taking measures to ensure that the cloud provider is not itself in a position to start adapting the purposes for which the data is being processed without the cloud customer’s authorisation

 

  • exploring with the cloud provider the extent to which the data may be transferred abroad (e.g. because the cloud straddles a variety of different jurisdictions) and, further, the quality of any data protection regime applicable in any foreign jurisdiction to which the data may be transferred

 

  • having policies in place which ensure that data subjects are properly informed about how their data is being processed

 

  •  monitoring data compliance once the cloud services have been obtained

All organisations which use or provide cloud services should, as a matter of urgency, familiarise themselves with this policy or else risk developing a stormy relationship with the Commissioner in future.

Anya Proops

Legal advice on Scottish independence: date set for appeal

September 24th, 2012 by Robin Hopkins

In a decision notice of 6 July 2012, the Scottish Information Commissioner, Rosemary Agnew, ordered the Scottish Ministers to confirm or deny whether they had taken legal advice on the status of Scotland within the European Union should Scotland choose to break away from the UK. In essence, the underlying issue is whether or not an independent Scotland would retain EU membership or whether it would need to apply afresh. The Scottish Ministers have appealed against that decision, arguing that they were entitled under the Freedom of Information (Scotland) Act 2002 to refuse to confirm or deny whether they had taken such advice. The appeal is being fast-tracked, and has been listed for 18-19 December. In the meantime, here is Panopticon’s synopsis of the issues in the decision notice.

First, it is important to note how the ‘neither confirm nor deny’ (NCND) provision under s. 18 of FOISA works. Public authorities are entitled to issue a NCND response if the underlying informationm if held, would be exempt from disclosure (due to the balance of interest in maintaining a qualified exemption) and if the public interest in neither confirming or denying whether such information is held outweighs that in confirmation or denial.

The Scottish IC agreed with the Scottish Ministers on the first limb – but not the second.

The first qualified exemption relied on was s. 29(1)(a) FOISA (formulation or development of government policy. The Commissioner took the view “that “formulation” of government policy suggests the early stages of the policy process where options are identified and considered, risks are identified, consultation takes place and recommendations and submissions are presented to the Ministers. “Development” suggests the processes involved in reviewing, improving upon or amending existing policy; it can involve piloting, monitoring, analysing, reviewing or recording the effects of existing policy” (paragraph 15). The Commissioner accepted that this exemption was engaged would be engaged with respect to the underlying legal advice (if any were held). She rejected the requester’s argument that policy (here: achieving independence for Scotland) is one thing, but advice on the legal effects of that policy (here: EU membership) was a different and separate matter.

The second qualified exemption relied on was s. 30(c), which applies “would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs”. The Commissioner said (paragraph 22): “This is a broad exemption and the Commissioner expects any public authority citing it to show what specific harm would be caused to the conduct of public affairs by release of the information, and how that harm would be expected to follow from release.”

Again, she was satisfied that the exemption would be engaged. See paragraph 26: “The Commissioner accepts the Ministers’ arguments that disclosure of any such advice at this stage could be obstructive to future dialogue and negotiations with other parties and stakeholders concerning a matter of sensitivity, importance and significance.”

The requester argued that, if such legal advice was held, one could scarcely think of information in which there was a stronger public interest in disclosure. In contrast, the Ministers advanced arguments based on the need for a safe space, the risk of a chilling effect on communications, and the risk that disclosure of such information at the time of the request would create substantially misleading impressions. The Commissioner agreed that these factors were significant and that, if such information were held, the public interest would favour the maintenance of the exemptions. She added that “… in September 2011, the independence referendum was still some years away. In her view, the urgency of the need to understand the consequences of any legal advice obtained by the Ministers would be considerably less at that time (or even now) than it would be as the referendum approached” (paragraph 44).

That, however, only got the Ministers part of the way to an NCND position. The Commissioner found that the public interest favoured confirming or denying whether the Ministers had taken legal advice on this issue. At paragraph 52, she concluded that:

“In the Commissioner’s view, the role of FOISA is important not only in enabling transparency in information held by public authorities, but also in enabling transparency in information about process. In this case, whilst the Commissioner has concluded that, if the advice existed and was held by the Ministers, they would have been entitled to issue a refusal notice under section 16(1), the Commissioner considers that it is in the public interest to know the type of information that the Ministers were taking into account in developing policy in relation to such a significant issue as independence.  While it is a matter for Ministers to take the approach they consider appropriate, this would enable interested parties to form their own opinions on the way in which Ministers develop policy and take decisions.”

The appeal will be extremely interesting both for its importance and for its analysis of the mercurial concept of the public interest which lies at the heart of information rights legislation.

Robin Hopkins

Chagos Refugees Group in the First-Tier Tribunal: some key points

September 24th, 2012 by Robin Hopkins

The Chagos Archipelago forms part of the British Indian Ocean Territory (“BIOT”). In the late 1960s and early 1970s, the inhabitants of the Chagos Islands were required to leave those islands. At or around that time, a US military base was established on Diego Garcia, the largest of the Chagos Islands. The removal of the “Chagossians” has been a matter of considerable political and media debate, as well as complex legal proceedings. Two legal challenges are ongoing: Chagos Islanders v UK before the European Court of Human Rights, and Bancoult (No 3) before the domestic courts.

In 1999, the then Foreign Secretary commissioned a feasibility study concerning the possible resettlement of some of the islands. A preliminary study was conducted, followed a “phase 2B” study conducted by external consultants. The final report of the phase 2B study was made public. There was some ministerial correspondence about the studies.

In April 2010, representatives of the Chagossians sought information from the Foreign & Commonwealth Office about these studies. In particular, they asked for any draft versions of the phase 2B study (and any accompanying reports), as well as related ministerial correspondence.

The FCO disclosed some information, but withheld one note to a minister (Baroness Amos). As regards the draft reports, it claimed that – if these existed at the time of the request – they were held by the external consultants who authored them. The FCO maintained that the consultants did not hold that information “on behalf of” the FCO for the purposes of the Environmental Information Regulations 2004. The Commissioner upheld the FCO’s position.

The Tribunal (chaired by Andrew Bartlett QC) upheld the Chagossians’ appeal in part. A disclaimer to the following analysis: I appeared for the Information Commissioner. The post below is not a commentary on the case, but (with my Panopticon hat on) I highlight some of the points of general interest to FOIA and EIR practitioners. For a broader commentary on the case, see the excellent post from David Hart QC on One Crown Office Row’s UK Human Rights Blog.

The Tribunal in Chagos Refugees Group in Mauritius and Chagos Social Committee (Seychelles) v IC and FCO (EA/2011/0300) agreed with the FCO that information held by the consultants was not, at the date of the request, held “on behalf of the FCO” for EIR purposes. The Tribunal applied the guidance on the approach to “held” from University of Newcastle v IC and BUAV [2011] UKUT 185 (AAC), [2011] 2 Info LR 54 (see paragraphs 59-67). Generally, whether information is “held” will be a question of fact, but the Tribunal added that “we would also wish to qualify the proposition in McBride v IC and Ministry of Justice (EA/2007/0105) that whether information is held on behalf of a public authority is “simply a question of fact”. In some cases it will be important to determine the exact nature of the legal relationship between a person holding information and the public authority, or to determine the legal structure pursuant to which information was created and held” (paragraph 61).

The Tribunal analysed both the factual and legal relationship between the FCO and the consultants in reaching its conclusion. Its decision should be given careful attention when considering whether information is “held on behalf of” a public authority.

On the adequacy of the FCO’s own searches, the Tribunal said this at paragraph 70:

“… we consider it is relevant to draw attention also to the Tribunal’s remarks in the context of a FOIA request in Muttitt v IC (EA/2011/0036) (31 January 2012) at [68], to the effect that a search should be conducted intelligently and reasonably, and that this does not mean it should be an exhaustive search conducted in unlikely places: those who request information under FOIA will prefer a good search, delivering most relevant information, to a hypothetical exhaustive search delivering none, because of  the cost limit.”

As to the Baroness Amos note, the Chagossians were largely successful in their appeal: disclosure was ordered, bar a few redactions. In its analysis, the Tribunal considered the time at which the public interest was to be assessed. It has become almost trite in FOIA and EIR cases that the answer to this question is “at the time of the request or, at the latest, the date at which the public authority ought to have responded”. This question is, however, not altogether settled. In this case, the Tribunal was content to assess matters up to the date of the conclusion of the FCO’s internal review (see paragraphs 22-29). On a similar point, the UpperTribunal in Evans (see my earlier post on this) by no means considered it beyond doubt that matters should only be assessed at or shortly after the date of the request.

The Tribunal considered that weighty public interests would be served by disclosure of the contents of the Baroness Amos note, despite that being only a small amount of information. At paragraph 112 it said this:

“The amount of information in a potentially disclosable document is without doubt a material matter to take into account. At the same time, it is important not to discount unduly the significance, in the public interest, of the disclosure of small amounts of information. Publicly useful freedom of information requests are generally limited in scope. If too broad, they face the obstacle under FOIA of the costs limit, and under the EIR of the proportionality requirement. If the Tribunal were to take an unduly minimalist view of the value of the publication of relatively small amounts of information on matters of considerable legitimate public interest, this would materially reduce the effectiveness of the legislation. We would regard this as tending to conflict with the general purpose of  the legislation, as seen in the authoritative remarks in Sugar v BBC [2012] UKSC 4 at [76]-[77], which in our view apply with equal force to the EIR, particularly in view of the presumption in favour of disclosure found in EIR regulation 12(2).”

This outweighed the public interest in maintaining the exception for internal communications. Timing was key to the ‘safe space’ argument advanced by the FCO and the Commissioner. The Tribunal endorsed the approach taken in the Department of Health (NHS risk registers) case, whereby policy formulation can “dip in and out” of the need for a safe space. The Tribunal in this case concluded that (paragraph 123):

“We acknowledge the prospect that at some future date – perhaps in 2013, perhaps later – after the final conclusion of the two pending pieces of litigation, the resettlement policy is likely to be the subject of reconsideration. In our view that was at all material times, and remains today, a very weak reason for maintaining the confidentiality of a document written in entirely different circumstances in 2002.”

Robin Hopkins

HRH the Prince of Wales: advocacy of an ordinary man

September 19th, 2012 by Robin Hopkins

The Upper Tribunal’s judgment in Evans v IC and Others (Seven Government Departments) [2012] UKUT 313 (AAC) (Mr Justice Walker, Professor John Angel and Suzanne Cosgrave), handed down yesterday, has received extensive media coverage – unsurprisingly so, given the subject matter (Prince Charles’ correspondence with government departments) and the requester (Rob Evans of the Guardian). The judgment is stupendously long (65 pages, plus 3 open annexes). Here are the salient points.

The issues

Mr Evans made requests in April 2005 for correspondence between Prince Charles and seven government departments. Crucially, this was confined to correspondence involving “advocacy” on the part of Prince Charles, i.e. information on (a) “identifying charitable need and setting up and driving forward charities to meet it”, and/or (b) the promotion of Prince Charles’ views on various issues. It was described as “argumentative correspondence”. The interaction with government first revealed in the Prince Charles-approved biography by Jonathan Dimbleby published in November 1994.

Disclosure was refused on the basis of a number of exemptions under FOIA: ss. 37(1) (communications with Her Majesty, with other members of the Royal Family or the Royal Household), 40(2) (presonal data) and 41 (actionable breach of confidence). Insofar as it comprised environmental information, the requested information was refused on the basis of reg. 12(5)(f) EIR (adverse affect on the interests of the person who provided the information).

The relevant date for the Upper Tribunal’s assessment was 40 days after Mr Evans’ requests for interal reviews of these refusals, i.e. 28 February 2006. At that stage, the relevant part of s. 37(1) was a qualified rather than an absolute exemption.

The Upper Tribunal found in Mr Evans’ favour with respect to all of the exemptions: the public interest favoured disclosure (in the case of the qualified and EIR exemptions), disclosure of the relevant personal data would not breach a data protection principle, and any action for breach of confidence would be defeated by a public interest defence.

The crucial issue: advocacy correspondence and the education/apprenticeship convention

The case for withholding the information was to stand or fall with the analysis of the relevant constitutional conventions (practices which are non-legal but fundamental to the UK’s parliamentary democracy) concerning communications between the monarchy and government. The Upper Tribunal analysed these conventions in depth, and addressed the crucial issue of the extent to which they were relevant to the “advocacy” correspondence in dispute.

Two conventions are extremely important. The cardinal convention is that the monarch acts on advice. The tripartite convention is that the monarch is entitled to be consulted, to encourage and to warn her ministers. The Upper Tribunal was satisfied that “there is ample reason to justify the principle that the internal operation of these two conventions is not revealed, at least until after a long time has passed” (paragraph 87). These two conventions, however, apply only to the sovereign – not to the heir.

The pivotal convention relied on in this case was the “education convention”, whereby the heir to the throne is to be instructed in the business of government. The Upper Tribunal preferred this label to the proposed alternative of “apprenticeship convention”: the latter term assumed what it had to prove, namely that Prince Charles was through the disputed correspondence practising the skills required of him when he becomes the sovereign, rather than some other skills. Also, the work of apprentices is overseen by masters; Prince Charles is thus not like an apprentice or, for that matter, a pupil barrister (the Upper Tribunal noted) insofar as he is conducting his advocacy correspondence.

Until relatively recently, the education convention was, in constitutional terms, “little more than a footnote” (paragraph 89). Nonetheless, it was important, and the Upper Tribunal’s judgment did not entitle Mr Evans to information caught by that convention.

The fundamental issue here was that, contrary to the case for the government departments (who advanced the novel case that the education convention encompassed all information of this kind) the advocacy correspondence did not come within the education convention. The Upper Tribunal considered that the alleged constitutionally-important confidentiality of such advocacy correspondence could not be reconciled with the disclosures in the Dimbleby biography.

Ultimately (paragraph 99):

“The plain facts are that what Prince Charles is doing is not prompted by a desire to become more familiar with the business of government, and simply is not addressing what his role would be as king…  they all have as their context Prince Charles’s strong belief that certain action on the part of government is needed.”

See also paragraph 106:

“… there is an overwhelming difficulty in suggesting that there is good reason for regarding advocacy correspondence by Prince Charles as falling within a constitutional convention… it is the constitutional role of the monarch, not the heir to the throne, to encourage or warn government. Accordingly it is fundamental that advocacy by Prince Charles cannot have constitutional status… the communication of encouragement or warning to government has constitutional status only when done by the monarch.”

The key conclusion: Prince Charles’ advocacy correspondence has no special status favouring non-disclosure

The Upper Tribunal was clear that, for Prince Charles as for anyone else seeking to advance charitable causes or promote views through correspondencw with government, such advocacy correspondence would generally be disclosable. See paragraph 7:

“Confidential interaction between government ministers and others, in a context where those others are seeking to advance the work of charities or to promote views, would generally be disclosable – especially where those others have privileged access to ministers. Our conclusion is that special factors concerning Prince Charles will not – under the legislation governing the requests in this case – generally result in a different consequence.”

In other words, Prince Charles’ advocacy correspondence is to be treated in the same way as anyone else’s. See paragraph 210:

 “We are not persuaded that they warrant giving correspondence between ministers and Prince Charles greater protection from disclosure than would be afforded to correspondence with others who have dealings with government in a context where those others are seeking to advance the work of charities or to promote views.”

The result was that the public interest/fairness factors favouring non-disclosure were not especially weighty, at least in that they did not have any constitutional significance. This judgment is also the first binding confirmation that, as with the EIR, the public interests protected by each separate FOIA exemption are to be aggregated, and the cumulative public interest in non-disclosure is to be weighed against that in disclosure (see paragraph 207).

The public interest in disclosure

So, when analysing the public interest/fairness case for withholding the information, Prince Charles was to be treated like an ordinary person. Prince Charles is, however, not like an ordinary person, given his position and influence. The Upper Tribunal found there to be great public interest in how he sought to wield that influence through his advocacy correspondence. It also made a number of important observations on ‘general’ (i.e. non-case-specific) factors favouring disclosure, and commented on the relevance of media interest. The most notable public interest points are below.

The Upper Tribunal firmly endorsed the strength of the public interest in transparency on important governmental matters generally, irrespective of whether the particular information does or does not answer any questions of specific concern. See paragraph 133 (my emphasis):

“… we think it important that the strength of these general interests should be acknowledged rather than minimised. It is because other methods of achieving accountability and transparency have had only limited success that freedom of information has been agreed by signatories to the Aarhus convention as regards environmental matters, and enacted more generally throughout the United Kingdom as a whole. When disputed information concerns important aspects of the working of government, the interests in accountability and transparency will be not merely of general importance, but of particular strength.”

On a similar note, the Upper Tribunal was clear that an informed debate was something of great importance, regardless of whether the information helped dispel or confirm any particular suspicions about how Prince Charles wielded influence. See paragraph 151:

“It seems to us that the perception that Prince Charles exercises special influence stems from the biography. As to whether it would either be confirmed or dispelled by disclosure of the disputed information, this too seems to us to miss the point: the public interest lies in having an informed debate.”

Moving on to the particular nature of the information in dispute, there was strong public interest in transparency of Prince Charles’ advocacy correspondence, particularly given that he seeks to conduct that correspondence in a way that represents the interests of (at least some of) the public. See paragraphs 141-142, and 152:

“The fact that Prince Charles corresponds with and meets ministers, on confidential terms, is in the public domain: but without the disclosure of actual examples of the correspondence, it is difficult for the public to understand what this actually means in practice… whether this country should remain a monarchy is of course a legitimate matter of public debate. More generally, debate about the extent and nature of interaction between government and the royal family, and how the monarchy fits in to our constitution, goes to the heart of understanding the constitutional underpinning of our current system of government. We conclude that these are all important and weighty considerations in favour of disclosure.

We agree with the Departments that when it is said that Prince Charles speaks “on behalf of us all” that reflects that he writes to ministers on what he believes is in the public interest. This, however, does not answer Mr Evans’s point that it seems incongruous that the public should not know about it.”

As to the public interest defence to a breach of personal confidence, the Upper Tribunal considered it important that Prince Charles voluntarily conducts himself as a public figure. See paragraph 202:

“It would be unreal to contend that Prince Charles is not a public figure. Neither the Commissioner nor the Departments advance such a contention. There is, however, in our view a strong air of unreality about their contention that his birth gave him no choice as to whether to engage in advocacy correspondence. The analogy made by Mr Fordham with a hereditary peer was in that regard compelling: some may feel impelled to intervene for the public good as they see it, either publicly or behind the scenes. Others may not. Applying the Strasbourg case-law we see no basis for saying that when Prince Charles does so his actions must be characterised as “truly personal.” On the contrary they are, on his own description, all motivated by a desire to put the “Great” back in Great Britain.”

Media interest was a relevant public interest factor, but the Upper Tribunal was careful to distinguish sensationalism from serious reporting. See paragraph 157 (my emphasis):

“The media interest in Prince Charles’s interaction with ministers is substantial.  It seems to us that this is not a factor which in itself necessarily favours disclosure.  What is relevant is that there is a real debate, generating widespread public interest, on a matter which goes to the heart of our constitution.  Sensationalism merely for the sake of it will not generally be in the public interest.  The media accounts we have seen have, on occasion, had sensationalist aspects.  For the most part, however, the media reporting is of a kind which has focused on the substance.  It is relevant when assessing the public interest to note the extent to which, over the relevant period, there have been media reports of this kind.”

The Upper Tribunal was not persuaded that disclosure would have a “chilling effect” on correspondence between the Prince and the government. Nor did it consider it relevant that the Prince’s advocacy was not motivated by any desire for commercial gain.

A final important point on the public interest balance concerned the argument (advanced relatively frequently) that disclosure of this information would engender misconceptions or misunderstandings on the part of the public. Again, the Upper Tribunal was not persuasive. It said this at paragraph 188 (my emphasis):

“There is, as it seems to us, a short answer to all the various ways in which the Departments have sought to rely on dangers of “misperception” on the part of the public. It is this: the essence of our democracy is that criticism within the law is the right of all, no matter how wrongheaded those on high may consider the criticism to be.

The future: ‘interesting questions’

Given its assessment of important constitutional principles (not only as regards the heir to the throne, but as regards democratic engagement more generally), this judgment is a very important development in FOIA jurisprudence.

However, s. 37 is now largely an absolute exemption (thanks to the changes to FOIA made by the Constitutional Reform and Governance Act; as an aside, see the unsuccessful attempt to obtain information on how those changes came about: Pragnell v IC and Ministry of Justice (EA/2011/0279)). Does this mean Evans is of largely historic interest when it comes to information concerning the monarchy? The answer is, probably not. First, some requests for information made prior to the CRAG changes remain to be resolved. Secondly, the EIR have of course not been correspondingly changed – which raises what the Upper Tribunal considered “interesting questions”. “Environmental information” has been sought from members of the royal family in the past: Bruton v IC and Duchy of Cornwall (EA/2010/0182)) was one such case, and one imagines it will not be the last. The Evans principles may therefore be highly relevant in future cases.

11KBW’s Jonathan Swift QC, Julian Milford and Tim Pitt-Payne QC appeared in this case.

Robin Hopkins

Important developments in surveillance law: RIPA and CCTV

September 17th, 2012 by Robin Hopkins

Important changes to the Regulation of Investigatory Powers Act 2000 come into force from 1 November 2012, thanks to the Protection of Freedoms Act 2012 (Commencement No. 2) Order 2012, passed last week. This is an extremely important development for local authorities.

Local authorities are empowered under RIPA to use three surveillance techniques: directed surveillance, the deployment of a Covert Human Intelligence Source (CHIS) and accessing communications data. Early in its term, the Coalition government indicated that it would impose additional safeguards on local authorities’ use of such powers, responding in part to concerns aired by Big Brother Watch and others (see our post here and the recent ‘Grim RIPA’ report here). Chapter 2 of Part 2 of the Protection of Freedoms Act 2012 Act amended RIPA so as to require local authorities to obtain the approval of a magistrate for any authorisation for the use of a covert investigatory technique.

The procedure for obtaining judicial approval may be much like that involved in obtaining search warrants. It remains to be seen how magistrates scrutinise the reasoning and evidence supporting an authorisation so as to ensure that the conditions laid down by RIPA – in particular, necessity and proportionality – are satisfied. Ibrahim Hasan has discussed the changes in his Local Government Lawyer piece here.

Last week also saw a second important announcement on surveillance. The government has announced that it is busy with preparatory work on a new CCTV code of practice, with the aim of consulting on the draft code over the autumn and bringing the new one into force in April 2013. Authorities specified in s. 33(5) of the Protection of Freedoms Act 2012 have a duty to have regard to the code, and other system operators will be encouraged to adopt it on a voluntary basis.

The Home Office Minister, Jeremy Browne MP, told the House of Commons last week that the government is “committed to ensuring that any deployment in public places of surveillance cameras, including close circuit television (CCTV) and automatic number plate recognition (ANPR), is appropriate, proportionate, transparent and effective in meeting its stated purpose”.

Oversight of – and independent recommendations about – the new code will fall to Andrew Rennison, who will remain in post as both surveillance camera commissioner and forensic science regulator until February 2014.

If one adds the Local Authorities (Executive Arrangements) (Meetings and Access to Information) (England) Regulations 2012, also passed last week (see my post here), this is clearly a time of great flux in terms of the information law landscape for local authorities in particular.

Robin Hopkins

Local authorities and NHS Trusts (2): unusual appeals ahead

September 17th, 2012 by Robin Hopkins

I blogged earlier (see below) about the sorts of information law issues that arise routinely for local authorities and NHS Trusts. On a more unusual note, it is worth noting that the First-Tier Tribunal is due to hear appeals against notices other than the usual decision notices issued by the Information Commissioner under s. 50 of FOIA.

The first ever appeal against a monetary penalty notice issued for breaches of the Data Protection Act 1998 will be heard on 3-5 December of this year: Central London Community Healthcare NHS Trust v IC (EA/2012/0111). The Trust was fined £90,000 for faxing patient lists containing sensitive personal data to the wrong number. The Commissioner’s press release is available here.

Secondly, Southampton City Council is appealing against a decision by the Commissioner that a licensing policy under which all licensed taxis must use surveillance equipment consisting of CCTV and audio-recording facilities, both of which must operate whenever the vehicle is in motion, breached the first data protection principle. The Commissioner issued an enforcement notice against the Council (his press release is here).

The appeals will feature my fellow Panopticonners Anya Proops (for the Commissioner in both cases) and Tim Pitt-Payne QC (for the appellants in both cases).

Robin Hopkins

Local authorities and NHS Trusts (1): compromise agreements, officers’ identities and gagging clauses

September 17th, 2012 by Robin Hopkins

From a FOIA perspective, local authorities and NHS Trusts have this in common: both frequently receive requests for details of compromise agreements and other details about individual officers’ employment and disciplinary records. Three recent cases before the Tribunal confirm the general trend that – absent case-specific and well-evidenced arguments – the Commissioner and Tribunal re reluctant to order disclosure of such personal data, notwithstanding the context of public sector employees.

First, Trago Mills v IC and Teignbridge DC (EA/2012/0028) involved a request for the details of the severance package of a senior planning officer. Based on his dealings with that officer during a number of planning applications, the requester suspected that the stated reason for the officer’s departure from the Council (i.e. early retirement/redundancy) was in fact a ‘shield’, and that the officer had left for reasons of misconduct. The requester had also asked for information on that officer’s handling of planning applications in 2007.

The Council refused the request for the severance information on s. 40(2) grounds. The Commissioner and the Tribunal agreed: the requester’s suspicions were not borne out by the evidence, and the Council had a duty to respect its former employee’s reasonable expectation of privacy. The Tribunal also found that the Council held no further information within the scope of the request given the thoroughness of its searches. I represented the Council in this case, so no further commentary from me. For a detailed analysis of the issues, see the Local Government Lawyer’s article here. 11KBW’s Chris Knight represented the Information Commissioner.

Second, McFerran v IC (EA/2012/0030) involved a police search of a Council residence owned by Shropshire County Council. At the police’s request, two junior Council officers were present, but they had not been involved in any of the decision-making. The requester had concerns about the search and about what the Council may have told the police in the lead-up to the search. He requested the names of the two junior officers as well as their immediate superior. The Council refused, relying on s. 40(2).

The Commissioner ordered disclosure of the name of the more senior officer, but not of the two juniors. The requester’s appeal against the latter finding was dismissed, with the Tribunal observing that “although… there is clearly a legitimate public interest in transparency of activity by public authorities, which impinges on the personal freedom of householders, there is insufficient information provided to add significant weight to the general public interest in transparency in public affairs. The Appellant has not satisfied us, either, that his attempts to have the matter investigated are being thwarted by the absence of the names of the individuals in question. If there is sufficient information about the event to interest those responsible for an investigation the absence of names will not deter them.”

The McFerran decision illustrates that, when it comes to junior officials, general transparency considerations will usually not suffice for the disclosure of personal data: case-specific factors will be needed. Local authorities should, however, avoid the blanket non-disclosure of the names of all officers below a certain level of seniority. What matters is what work they have done, rather than what grade or band they are at.

McFerran also illustrates that requesters will often face the following sorts of objection: even if you have valid grounds for concern or complaint about individuals, there are ways of addressing those without disclosure of personal data to the world at large.

The third recent s. 40(2) arose in the context of NHS Trusts and allegations of Trusts using “gagging clauses” in compromise agreements to silence criticism or whistleblowing from departing employees. In Bousfield v IC and Six NHS Trusts (EA/2011/0212; 0213; 0247; 0250; 0251; 0252), the requester was interested not in any specific individual’s compromise agreement, but in the use of such agreements by NHS Trusts more generally. He asked: “Please provide copies of all compromise agreements you have entered into with doctors of any grade. Please also provide a list of exploratory or illustrator issues covered by the compromise agreements (ie the reasons the compromise agreements were entered into)”. One Trust refused to confirm or deny whether it held such information, relying on s. 40(5) (the argument being that there was a risk of identifying any individuals involved, which would breach the first data protection principle) and s. 43(3) (the argument being that confirmation or denial would prejudice the Trust’s commercial interests). Other Trusts also refused the requests, relying on a combination of s. 40(2) (personal data), s. 41 (actionable breach of confidence), 42 (legal professional privilege) and 36(2) (prejudice to the effective conduct of public affairs).

The Commissioner agreed, and the Tribunal has dismissed the requesters appealed. One Trust had conceded that, if there was evidence of gagging clauses being used to prevent former employees from raising any issues concerning patient safety, there would be enormous public interest in disclosing such practices. The decisive issue in this case, however, was that the Tribunal was satisfied on the evidence that no such clauses were being used by these Trusts. Therefore, it concluded that “it is entirely sympathetic to the overall concern that the Appellant feels with regard to the apparently increasing prevalence of gagging clauses but does not find that issue or concern in any way material to the matters which the Tribunal in fact has had to consider”.

It seems that, if the evidence had borne out the requester’s concerns, the analysis may have been very different. This ‘gagging clause’ issue has been considered at Tribunal level before: Bousfield v IC (EA/2009/0113). It may yet resurface.

Robin Hopkins

Important development in local government transparency

September 14th, 2012 by Panopticon Blog

The Local Authorities (Executive Arrangements) (Meetings and Access to Information) (England) Regulations 2012 (SI 2012/2089) came into force this week (10 September). The aim is to enhance the transparency of local government decision-making, including through the detailed prescription of what an officer must record in relation to an “executive” decision (see regulation 13(4)). Exactly how far does this extend? What counts as an executive decision? These and other thorny issues under the new regulations have been addressed by 11KBW’s Clive Sheldon QC, whose legal advice is discussed in this piece by Dr Nicholas Dobson of Pannone LLP and in this piece by Philip Hoult in the Local Government Lawyer, which also features commentary on the new regulations by Geoff Wild of Kent County Council here.

Robin Hopkins

Meaning of ‘public authority’ under the EIRs: ECJ to consider

September 14th, 2012 by Robin Hopkins

The leading authority on the meaning of “public authority” under regulation 2 of the EIR is Smartsource v IC and a Group of 19 additional water companies [2010] UKUT 415 (AAC). In that case, the Upper Tribunal found that the water companies were not public authorities for EIR purposes. Smartsource has been applied in, for example, Bruton v IC and Duchy of Cornwall and Montford v IC and BBC.

The issue has returned to the Upper Tribunal in Fish Legal v IC [2012] UKUT 177 (AAC), again in the context of water companies. As the Upper Tribunal has noted, however, the principles are relevant to other privatised, regulated industries that deliver a once publicly-owned service: electricity, gas, rail and telecoms. As the EIR implement European legislation, the meaning of “public authority” has been referred to the ECJ, which has recently published the questions it will be considering.

These involve the meaning of ‘performing public administrative functions under national law’ (is the applicable law and analysis purely a national one? If not, what EU law criteria should be used?), what does ‘control’ mean (in the context of one person/body controlling another) and does an ‘emanation of the state’ necessarily come within the definition? Another crucial issue is the so-called ‘hybrid authority’ question: if a body falls partly within the definition, do EIR rights apply only to those parts (functions, activities etc) that do, or to the whole of the person/body?

Those are, of course, paraphrases. The actual questions can be found here. The ECJ’s answers will be enormously important to information access rights in the UK.

11KBW’s Rachel Kamm represented the Information Commissioner before the Upper Tribunal.

Robin Hopkins

The Equitable Life collapse: strong public interests needed to trump s. 30

September 14th, 2012 by Robin Hopkins

Wynn v IC and Serious Fraud Office (EA/2011/0185) concerned the dramatic closure in late 2000 of the insurer Equitable Life. Both the Ombudsman and the Penrose Inquiry examined the collapse and published their reports. Attempts to compensate those who lost money have been pursued through the courts and considered by parliament.

The Serious Fraud Office became involved to consider whether any criminal charges should be brought against those involved in the collapse. Pursuant to its functions under the Criminal Justice Act 1987, it analysed the material and took legal advice in order to decide whether or not to commence a criminal investigation. In effect, it investigated whether or not to investigate. In December 2005, the SFO announced that it would not commence an investigation.

Mr Wynn was dissatisfied with that decision. Eventually, in 2009, he asked the SFO for all of the information it held on Equitable Life. It provided him with some information – importantly, this included (pursuant to a direction from the ICO) a ‘vetting note’, which summarised the SFO’s reasoning on why successful prosecutions were unlikely. The SFO withheld the remainder of the voluminous information it held, relying on s. 12 (cost of compliance) for some it and ss. 30(1) (investigations) and 42 (legal professional privilege) for the rest. The ICO agreed.

Mr Wynn’s appeal to the Tribunal was dismissed. The Tribunal was satisfied that the s. 12 estimate was reasonable and well evidenced. S. 30(1) was engaged: a preliminary investigation (or, as I have put it above, an investigation into whether to investigate) was an investigation for s. 30(1) purposes nonetheless.

The public interest favoured maintaining that exemption. Case-specific points included the substantial transparency delivered by the Ombudsman and Penrose Inquiry reports and the SFO’s vetting note. There was nothing to suggest that the SFO had got things wrong.

The decision also contains a number of points of more general application. The Tribunal endorsed the account given in Breeze v Information Commissioner (EA/2011/0057) of the concerns protected by s. 30(1): protecting witnesses and informants (including their confidentiality), maintaining the integrity of the prosecution and judicial process, and ensuring that the court remained the sole forum for determining guilt. The ‘safe space’ point was also important: prosecutors need a safe space in which to make their decisions without any fear their frank assessments being publicised too soon after the event.

Notwithstanding the passage of time between the conclusion of that investigation and the request under FOIA, those factors counted very heavily in favour of maintaining the exemption under s. 30(1). The Tribunal endorsed this general proposition from Public Prosecutor of Northern Ireland v IC (EA/2010/0109): “in order for disclosure to be ordered in such cases public interest factors of at least equal weight would have to be adduced. A general interest in transparency as to a prosecution authority’s decisions will not be sufficient. Something substantial and particular to the information would be required” (paragraph 35).

The general upshot is that, in recent years, s. 30(1) has grown into a ‘strong’ exemption, i.e. one that requires weighty and particular factors to ‘defeat’. ‘Safe space’ arguments have also fared somewhat better in the prosecution context than the policy-making
context (under s. 35 of FOIA) in Tribunal decisions over the last year or two.

Finally, it is long-established that s. 42(1) is a ‘strong’ exemption, requiring weighty factors if disclosure of privileged information is to ordered. None were forthcoming in Wynn.

Robin Hopkins