Public access to local authority information: transparency with teeth

November 20th, 2014 by Robin Hopkins

The Freedom of Information Act and Environmental Information Regulations are the dominant statutory regimes for public transparency, but they are of course not the only ones. A good example is the regime under the Local Government Act 1972 (as amended), particularly sections 100A-K. Those provisions govern public access to local authority meetings, as well as the public availability of minutes, reports, background documents and so on for such meetings, subject to provisions for exempt information (Schedule 12A).

A recent judgment of the Admin Court (Cranston J) in a planning matter, Joicey v Northumberland County Council [2014] EWHC 3657 (Admin) illustrates the importance of compliance with that regime for public access to information.

The claimant challenged the local authority’s grant of planning permission for a wind turbine. One of his grounds was its failure to make available the noise assessment report which had been considered in the granting of permission, contrary to the provisions of the 1972 Act referred to above, and also in breach of the council’s Statement of Community Involvement.

The Council had argued that the report, being on its files, was duly available. Cranston J disagreed: “it was not open to inspection by members of the public since the files were in such a state that the duty officer on 1 November fetched what must have been a Brackenside file, but not one with the report. If the Council cannot organize its files in a way which means the duty officer is able to produce a particular report within a reasonably practicable time the report is not available” (paragraph 44). This is a compelling warning to public authorities to make sure relevant information is properly (rather than technically or hypothetically) available where required.

Here is an important passage from Cranston J’s judgment about the practical and democratic value of transparency (paragraph 47):

“… Right to know provisions relevant to the taking of a decision such as those in the 1972 Act and the Council’s Statement of Community Involvement require timely publication. Information must be published by the public authority in good time for members of the public to be able to digest it and make intelligent representations: cf. R v North and East Devon Health Authority Ex p. Coughlan [2001] Q.B. 213, [108]; R (on the application of Moseley) (in substitution of Stirling Deceased) v Haringey LBC [2014] UKSC 56, [25]. The very purpose of a legal obligation conferring a right to know is to put members of the public in a position where they can make sensible contributions to democratic decision-making. In practice whether the publication of the information is timely will turn on factors such as its character (easily digested/technical), the audience (sophisticated/ ordinary members of the public) and its bearing on the decision (tangential/ central)”.

Here, the dense and technical report had not been made available with sufficient time for it to be digested acted upon.

Cranston J was also clear that, had the information been made properly available, it could have made a real difference. Officers could have been prompted to rethink certain points, and decision-makers could well have been swayed: the decision was made by “a committee of politicians where the vote was not whipped. It is a very bold person who will hazard that in such circumstances a particular result is inevitable”.

Relief was therefore appropriate: “the claimant will be entitled to relief unless the decision-maker can demonstrate that the decision it took would inevitably have been the same had it complied with its statutory obligation to disclose information in a timely fashion” (paragraph 51).

The Council’s decision was therefore quashed on the transparency ground (among others). See paragraph 59:

“Here the claimant had standing to challenge a decision of his local Council. By denying him timely access to information to which he was entitled it limited his full participation in democratic decision-making. The fact that he might not be immediately affected by the proposal where he lives is not a sufficient reason to deny him the remedy he seeks. This was a serious breach by the Council of its statutory obligations. An additional factor bearing on the exercise of discretion in this case is the Council’s own behaviour in the back-dating of the website to when the WSP noise assessment was available to it. Although it did not have any consequences in the circumstances of this case, it had the potential to mislead members of the public about their right to know and to use the information disclosed. In all there is no reason to deny the claimant his remedy.”

The case is a powerful illustration of the practical value of transparency and public participation, and of how failure to comply with laws aimed at those ends can really bite.

Robin Hopkins @hopkinsrobin

Disclosure to GMC

November 19th, 2014 by jamesgoudie

The disclosure of material to the General Medical Council (“the GMC”) by other agencies, including the Police, has an important role to play in the exercise of the GMC’s public interest functions as they relate to a Doctor’s fitness to practice.  Section 35A of the Medical Act 1983 grants a specific power to the GMC to require the disclosure of information which appears relevant to the discharge of these functions.

The leading case in relation to the duties of the Police, when a request for disclosure is received from a regulatory body, such as the GMC, remains the decision of the Court of Appeal in Woolgar v Chief Constable of Sussex Police [2000] 1 WLR 25.

The issue in R (Nakash v Metropolitan Police Service (“MPS”) and GMC [2014] EWHC 3810 (Admin), in which Judgment was given by Cox J on 17 November 2014, was whether, as the Claimant Doctor contended, the Administrative Court should prohibit the disclosure by the MPS of material requested by the GMC, on the basis that it was unlawfully obtained by the police, in breach of the Claimant’s ECHR Article 8 rights; that it included material of a highly personal and confidential nature; and that the material had no relevance to the issue of the Claimant’s fitness to practise as a medical practitioner.

Cox J concluded that the decision by the MPS to disclose the material requested by the GMC was in error. They had failed to carry out the “careful balancing exercise of competing interests” required by Article 8.  Relevance of the material is obviously an important factor.  So too, however, is the personal and confidential nature of the material requested.

At paragraph 46, Cox J said:-

 “… Since the primary decision as to disclosure will be made in these cases by the police, it is important that before the decision to disclose is made, there is a rational assessment of the relevant competing interests and that consideration is given, in each case, to the extent of the interference, and whether the disclosure sought is in accordance with the law and is a proportionate response to a legitimate aim …”

The MPS’s decision having been found to have been flawed, Cox J proceeded to carry out the balancing exercise herself, and found that disclosure by the MPS to the GMC was justified, under Article 8(2), notwithstanding the circumstances in which the MPS had obtained the material and the interference with the Doctor’s Article 8(1) rights.

James Goudie QC

Video recordings

November 18th, 2014 by jamesgoudie

The classification requirements imposed by the Video Recording Acts are lawful, the Court of Appeal (Criminal Division) has ruled, on 14 November 2014, in R v Dryzmer and Play Media Distribution Ltd.  The prohibition on supplying video recordings which have not been classified by the British Board of Film Classification is not rendered unlawful either by ECHR Article 10, on freedom of expression, or by TFEU Articles 34-36 on non-interference with trade. The reason is the same in both cases.  Qualitative restrictions on grounds of public health and morals are justified.

This was an application of the ECJ decision in Case 244/06, Dynamic Medien Vertriebs GmbH v Avides Media AG.  In that case the ECJ observed as follows.  The protection of the rights of the child is recognised by various international instruments which the Member States have cooperated on or acceded to, such as the International Covenant on Civil and Political Rights, which was adopted by the General Assembly of the United Nations on 19 December 1966 and entered into force on 23 March 1976, and the Convention on the Rights of the Child, which was adopted by the General Assembly of the United Nations on 20 November 1989 and entered into force on 2 September 1990. Those international instruments are among those concerning the protection of human rights of which it takes account in applying the general principles of Community law.  Under Article 17 of the Convention on the Rights of the Child, the States Parties recognise the important function performed by the mass media and are required to ensure that the child has access to information and material from a diversity of national and international sources, especially those aimed at the promotion of his or her social, spiritual and moral well-being and physical and mental health. Article 17(e) provides that those States are to encourage the development of appropriate guidelines for the protection of the child from information and material injurious to his or her well-being. The protection of the child is also enshrined in instruments drawn up within the framework of the European Union, such as the Charter of Fundamental Rights, Article 24(1) of which provides that children have the right to such protection and care as is necessary for their well-being. Furthermore, the Member States’ right to take the measures necessary for reasons relating to the protection of young persons is recognised by a number of Community-law instruments. Although the protection of the child is a legitimate interest which, in principle, justifies a restriction on a fundamental freedom guaranteed by the EC Treaty, such as the free movement of goods, such restrictions may be justified only if they are suitable for securing the attainment of the objective pursued and do not go beyond what is necessary in order to attain it.  However, it is not indispensable that restrictive measures laid down by the authorities of a Member State to protect the rights of the child correspond to a conception shared by all Member States as regards the level of protection and the detailed rules relating to it.  As that conception may vary from one Member State to another on the basis of, inter alia, moral or cultural views, Member States must be recognised as having a definite margin of discretion.  Prohibiting the sale and transfer by mail order of image storage media which have not been examined and classified by the competent authority for the purpose of protecting young persons and which do not bear a label from that authority indicating the age from which they may be viewed constitutes a measure suitable for protecting children against information and materials injurious to their well-being.

 James Goudie QC

Unforgettable that’s what you are – Google Spain revisited

October 13th, 2014 by Anya Proops

The debates over whether the CJEU’s judgment in Google Spain represents an unjustified attack on free speech rights have raged for months now. Interestingly, it seems that some judges at the local level at least are proving somewhat resistant to this highly privacy-centred judgment. Thus, according to online reports, in recent weeks a Dutch preliminary court has apparently held that a man convicted of a serious offence dating back over some years could not rely on Google Spain to have the links to websites referring to the offence excised. According to reports about the judgment (which seems only to be available in Dutch), the court held that information revealing that someone has committed an offence has relevance notwithstanding its vintage and, as such, should not be de-indexed by Google (see here). Outside of Europe, a judge sitting in the Israeli magistrate’s court has apparently refused to countenance a claim against Google based on the so-called right to be forgotten. According to a report in the Israel Hayom online newspaper, the judge held that imposing an obligation on Google to de-index results, even if they were defamatory, would entail converting Google unjustifiably into a ‘super-censor’ (see the report here). It will be interesting to see how the English courts, with their strong tradition of upholding free speech rights, will in due course seek to navigate their way through the challenging jurisprudential landscape set by the CJEU in Google Spain.

Anya Proops

Assessing the FOIA veto power

September 17th, 2014 by Robin Hopkins

For those of you still following the Prince of Wales correspondence veto saga, and who have access to law journals in print or online, you may be interested to read the casenote published in the latest issue of the Law Quarterly Review discussing the Court of Appeal judgment. The casenote is by 11KBW and Panopticon stalwart Chris Knight. The full reference is CJS Knight, ‘The Veto in the Court of Appeal’ (2014) 130 LQR 552.

Loss of personal data: £20k award upheld on appeal

September 16th, 2014 by Robin Hopkins

If you breach your legal duties as regards personal data in your control, what might you expect to pay by way of compensation to the affected individual? The received wisdom has tended to be something along these lines. First, has the individual suffered any financial loss? If not, they are not entitled to a penny under s. 13 DPA. Second, even if they get across that hurdle, how much should they get for distress? Generally, not very much – reported awards have tended to be very low (in the low thousands at most).

All of that is very comforting for data controllers who run into difficulties.

That picture is, however, increasingly questionable. “Damage” (the precondition for any award, under s. 13 DPA) could mean something other than “financial loss” – other sorts of damage (even a nominal sort of damage) can, it seems, serve as the trigger. Also, provided the evidence is sufficiently persuasive, it seems that awards – whether under the DPA or at common law (negligence) – could actually be substantial.

These trends are evident in the judgment of the Court of Appeal of Northern Ireland in CR19 v Chief Constable of the Police Service of Northern Ireland [2014] NICA 54.

The appellant, referred to as CR19, was a police officer with the Royal Ulster Constabulary. Due to his exposure to some serious terrorist incidents, he developed Post-Traumatic Stress Disorder (PTSD); he also developed a habit of excessive alcohol consumption. He left the Constabulary in 2001. In 2002, there was a burglary at Castlereagh Police, apparently carried out on behalf of a terrorist organisation. Data and records on officers including CR19 were stolen.

The Constabulary admitted both negligence and a breach of the seventh data protection principle (failure to take appropriate technical and organisational measures). The issue at trial was the amount of compensation to which CR19 was entitled.

Note the losses for which CR19 sought compensation: he claimed that, as a result of the stress which that data loss incident caused him, his PTSD and alcohol problems worsened, he lost out on an employment opportunity and that his house had been devalued as a result of threats to the property and the package of security measures that had been implemented for protection.

The trial judge heard evidence from a number of parties, including medical experts on both sides. He found some aspects of CR19’s evidence unsatisfactory. Overall, however, he awarded CR19 £20,000 (plus interest) for the Constabulary’s negligence. He did not expressly deal with any award under s. 13 of the DPA.

CR19 appealed, saying the award was too low. His appeal was largely dismissed: the trial judge had been entitled to reach his conclusions on the evidence before him.

Further, the s. 13 DPA claim added nothing to the quantum. The Court of Appeal considered the cases of Halliday (a £750 award) and AB (£2,250) (both reported on Panopticon) and concluded as follows (para. 24):

“In this case we have earlier recorded that three eminent psychiatrists gave professional evidence as to the distress sustained by CR19 as a consequence of the break-in. While accepting that the breach and its consequences in this case are of a different order to the matters considered in Halliday or AB, we conclude that the damages for distress arising from the breach of the Data Protection Act must be considered to be subsumed into the judge’s award which, while rejected as too low by the appellant, was by no means an insignificant award. The assessment took account of the distress engendered by the breach of data protection. We cannot conceive of any additional evidence that might be relevant to any additional damages for distress in respect of breach of section 4. Accordingly, we affirm the award of compensation made by the learned trial judge. However, in view of Arden LJ’s reasoning in Halliday, we conclude that the appellant must in addition be entitled to nominal damages of £1.00 to reflect the fact that there was an admitted breach of section 4 of the Data Protection Act.”

Whilst it is not strictly correct to read the CR19 judgment as affirming a DPA award for £20,000 (that award was for negligence), the judgment is nonetheless interesting from a DPA perspective in a number of respects, including these:

(i) While it was conceded in Halliday that nominal damage suffices as “damage” for s. 13(1) purposes, that conclusion looks like it is being applied more widely.

(ii) One problem in Halliday (and to an extent also in AB) was the lack of cogent evidence supporting the alleged damage. The CR19 case illustrates how evidence, including expert medical evidence, can be deployed to effect in data breach cases (whether based on negligence or on the DPA).

(iii) Unlawful acts with respect to individuals’ personal information can, it seems, lead one way or another to a substantial award. The DPA may aim to offer relatively modest awards (so said the Court of Appeal in Halliday), but serious misuse or loss of personal data can nonetheless be very damaging, and the law will recognise and compensate for this where appropriate.

Robin Hopkins @hopkinsrobin

Facebook, FOI and children

August 6th, 2014 by Robin Hopkins

The Upper Tribunal has got its teeth into personal data disputes on a number of occasions in recent months – Edem was followed by Farrand, and now Surrey Heath Borough Council v IC and Morley [2014] UKUT 0330 (AAC): Morley UT decision. Panopticon reported on the first-instance Morley decision in 2012. In brief: Mr Morley asked for information about members of the local authority’s Youth Council who had provided input into a planning application. The local authority withheld the names of the Youth Councillors (who were minors) under s. 40(2) of FOAI (personal data). In a majority decision, the First-Tier Tribunal ordered that some of those names be disclosed, principally on the grounds that it seemed that they appeared on the Youth Council’s (closed) Facebook page.

The local authority and the ICO challenged that decision. The Upper Tribunal (Judge Jacobs) has agreed with them. He found the dissenting opinion of the First-Tier Tribunal member to have been the more sophisticated (as opposed to the overly generalised analysis of the majority) and ultimately correct. The Youth Councillors’ names were correctly withheld.

In his analysis of the First Data Protection Principle, Judge Jacobs was not much bothered by whether fairness or condition 6(1) (the relevant Schedule 2 condition) should be considered first: “the latter is but a specific instance of the former”.

Judge Jacobs found that there was no sufficient interest in the disclosure of the names of the Youth Councillors. He also rejected the argument that, by putting their names on the relevant Facebook page, the data subjects had implicitly consented to public disclosure of their identities in response to such a FOIA request.

Judge Jacobs stopped short, however, of finding that the personal data of minors should never be disclosed under FOIA, i.e. that the (privacy) interests of children would always take precedence over transparency. Maturity and autonomy matter more than mere age in this context, and sometimes (as here) minors are afforded substantial scope to make their own decisions.

Morley is an important case on the intersection between children’s personal data and transparency, particularly in the social media context, but – as Judge Jacobs himself observed – “it is by no means the last word on the subject”.

There were 11KBW appearances by Joseph Barrett (for the local authority) and Heather Emmerson (for the ICO).

Robin Hopkins @hopkinsrobin

New from the Upper Tribunal: DWP work programmes, personal data. And security service algebra.

July 23rd, 2014 by Robin Hopkins

The Upper Tribunal has handed down a number of FOIA decisions in recent days. I refrain from comment or analysis, given my involvement in the cases (hopefully someone else from the Panopticon fold will oblige before long), but I post the judgments here for those who wish to read for themselves.

In DWP v IC and Zola [2014] UKUT 0334 (AAC), the Upper Tribunal dismissed the DWP’s appeal against this First-Tier Tribunal decision. The disputed information is a list of the identities of companies, charities and other organisations who host placements through the DWP’s work programmes for job seekers. Zola determination 21.07.14

In Farrand v IC and London Fire and Emergency Planning Authority [2014] UKUT 0310 (AAC), the Upper Tribunal dismissed an appeal concerning a report into a fire in a London flat, on the grounds that the requested information was the occupant’s personal data and no condition from Schedule 2 to the DPA was met. The decision discusses Common Services Agency and identification, legitimate interests, necessity and fairness. Farrand UT

Third, in Home Office v IC and Cobain (GIA/1722/2013), the Upper Tribunal has issued an interim decision allowing the appeal. This case concerns this problem: x + y = z, where z is a publicly known number, x is non-exempt information but y is exempt information (in this case, on section 23 grounds – security service information). Normally, the requester is entitled to non-exempt information, but here the automatic effect of disclosure would be to reveal the exempt information. What to do about this? As I say, an interim decision which I don’t analyse here. Have a go at the security service algebra yourself.

Robin Hopkins @hopkinsrobin

Academies and FOI

July 16th, 2014 by Robin Hopkins

The question of whether information is ‘held’ by a public authority for FOIA or EIR purposes can raise difficulties. This is especially so where the boundaries between public and private service provision are blurred: consider outsourcing, privatisation of services, public/private partnerships, joint ventures, the use of external consultants and so on. Legal separation and practical day-to-day realities can often point in different directions in terms of who holds information on whose behalf.

Geraldine Hackett v IC and United Learning Trust (EA/2012/0265) is a recent First-Tier Tribunal decision which addresses such issues – specifically in the context of academy school provision.

The United Church Schools Foundation Limited delivers schools through two separate trusts: the United Church Schools Trust (which runs 11 private schools) and the United Learning Trust (which runs 20 academies, and receives approximately £110k of its £129k of annual income from public funds).

Para 52A Schedule 1 FOIA brings within the scope of FOIA “the proprietor of an academy” but only in respect of “information held for the purposes of the proprietor’s functions under academy arrangements.”

Geraldine Hackett asked for information about the employment package of ULT’s chief executive (pay, pension contribution, expenses etc) and of the other members of the ULT senior management team.

ULT said it did not hold the information; the information was instead held by UCST (the private school provider). The ICO agreed. So did the First-Tier Tribunal, but this was overturned by the Upper Tribunal on account of aspects of procedural fairness which had gone badly awry at first instance.

On reconsideration by a fresh First-Tier Tribunal, the ICO’s decision was overturned. The Tribunal asked itself the questions which the Upper Tribunal had invited for consideration:

“Was it really the case that ULT had delegated day-to-day running of its charitable activities to a chief executive of whose duties under his contract of employment, ULT was ignorant? Was it permissible to avoid FOIA by the device of a contract of employment made by another body?”

It applied the leading case of University of Newcastle upon Tyne v ICO and BUAV [2011] UKUT 185 (AAC) and concluded that ULT did hold the requested information for FOIA purposes. This meant that “ULT would fulfil its obligations under FOIA by disclosing not the total sums involved but that proportion, calculated in accordance with the agreement, which relates to the academies; in other words excluding that proportion which can be attributed to USCT’s private schools.”

The Tribunal noted that “in 2006 both trusts entered into an agreement with each other to apportion the expenditure on shared services” and observed that “it appeared to us from the oral and written evidence that staff work together seamlessly for all three trusts”.

Those who grapple with held/not held questions in contexts like this will wish to note the key paragraph (19) illuminating the Tribunal’s reasoning:

“We were told at the hearing, and we accept, that the disputed information is held in hard copy in one of the filing cabinets at the United Learning Head Office. Those with access to it work seamlessly, we have found, for all three trusts. They have responsibilities to all three trusts. For these purposes, we are not attracted by artificial theories suggesting that staff hold these documents only on behalf of one or two of the trusts. Looking at actualities, and applying the plain words of the statute, in our judgment the disputed information is held by ULT, even if it is also held by UCST and UCSF. This finding is consistent with the obligations of the ULT accounting officer in respect of senior officers’ payroll arrangements…”

Robin Hopkins @hopkinsrobin

In the wake of Google Spain: freedom of expression down (but not out)

July 15th, 2014 by Robin Hopkins

The CJEU’s judgment in Google Spain was wrong and has created an awful mess.

That was the near-unanimous verdict of a panel of experts – including 11KBW’s Anya Proops – at a debate hosted by ITN and the Media Society on Monday 14 July and entitled ‘Rewriting History: Is the new era in Data Protection compatible with journalism?’.

The most sanguine participant was the Information Commissioner, Christopher Graham. He cautioned against a ‘Chicken Licken’ (the sky is falling in) alarmism – we should wait and see how the right to be forgotten (RTBF) pans out in practice. He was at pains to reassure the media that its privileged status in data protection law was not in fact under threat: the s. 32 DPA exemption, for example, was here to stay. There remains space, Google Spain notwithstanding, to refuse RTBF inappropriate requests, he suggested – at least as concerns journalism which is in the public interest (a characteristic which is difficult in principle and in practice).

‘I am Chicken Licken!’, was the much less sanguine stance of John Battle, ITN’s Head of Compliance. Google Spain is a serious intrusion into media freedom, he argued. This was echoed by The Telegraph’s Holly Watt, who likened the RTBF regime to book-burning.

Peter Barron, Google’s Director of Communications and Public Affairs for Europe, Africa and the Middle East, argued that in implementing its fledgling RTBF procedure, Google was simply doing as told: it had not welcomed the Google Spain judgment, but that judgment is now the law, and implementing it was costly and burdensome. On the latter point, Chris Graham seemed less than entirely sympathetic, pointing out that Google’s business model is based heavily on processing other people’s personal data.

John Whittingdale MP, Chairman of the Culture, Media & Sport Select Committee, was markedly Eurosceptic in tone. Recent data protection judgments from the CJEU have overturned what we in the UK had understood the law to be – he was referring not only to Google Spain, but also to Digital Rights Ireland (on which see my DRIP post from earlier today). The MOJ or Parliament need to intervene and restore sanity, he argued.

Bringing more legal rigour to bear was Anya Proops, who honed in on the major flaws in the Google Spain judgment. Without there having been any democratic debate (and without jurisprudential analysis), the CJEU has set a general rule whereby privacy trumps freedom of expression. This is hugely problematic in principle. It is also impracticable: the RTBF mechanism doesn’t actually work in practice, for example because it leaves Google.com (as opposed to Google.co.uk or another EU domain) untouched – a point also made by Professor Luciano Floridi, Professor of Philosophy and Ethics of Information at the University of Oxford.

There were some probing questions from the audience too. Mark Stephens, for example, asked Chris Graham how he defined ‘journalism’ (answer: ‘if it walks and quacks like a journalist’…) and how he proposed to fund the extra workload which RTBF complaints would bring for the ICO (answer: perhaps a ‘polluter pays’ approach?).

Joshua Rozenberg asked Peter Barron if there was any reason why people should not switch their default browsers to the RTBF-free Google.com (answer: no) and whether Google would consider giving aggrieved journalists rights of appeal within a Google review mechanism (the Google RTBF mechanism is still developing).

ITN is making the video available on its website this week. Those seeking further detail can also search Twitter for the hashtag #rewritinghistory or see Adam Fellows’ blog post.

The general tenor from the panel was clear: Google Spain has dealt a serious and unjustifiable blow to the freedom of expression.

Lastly, one of my favourite comments came from ITN’s John Battle, referring to the rise of data protection as a serious legal force: ‘if we’d held a data protection debate a year ago, we’d have had one man and his dog turn up. Now it pulls in big crowds’. I do not have a dog, but I have been harping on for some time about data protection’s emergence from the shadows to bang its fist on the tables of governments, security bodies, big internet companies and society at large. It surely will not be long, however, before the right to freedom of expression mounts a legal comeback, in search of a more principled and workable balance between indispensible components of a just society.

Robin Hopkins @hopkinsrobin