In response to a FOIA request, the Cabinet Office had decided to disclose some extracts from its Manual of Protective Security but to withhold others. Due in part to administrative complications, it did so by compiling a document consisting solely of the former rather than blanking out parts of the original manual. Relying on FOIA’s reference point being information rather than documents, the Cabinet Office sought to justify this approach in the face of criticism from the Tribunal. The Tribunal however, remarked that “it is at least arguable that a document which sets out the passages that contain the information to be disclosed, but which has the effect of obscuring the nature and extent of the information which has been withheld, does not inform the party making the request whether or not it holds information of the description specified in the request, for which exemption is claimed”.

This approach to the presentation of information could, it observed (without deciding the issue), constitute a breach of section 1 (duty to provide information) and/or section 16 (duty to assist) of FOIA.

The Tribunal indicated that it prefers the following approach:

“Within the practice established by the Tribunal and its users to date, a document characterised as having been redacted has come to mean one in which the extent of the omitted material is indicated by blank spaces and in which, to the extent possible, headings or other indications are retained or inserted to give a fair indication, to both panel members and those presenting submissions, of the broad nature of the information that has been withheld. Annotating the resulting document to indicate the exemption relied on to justify each omission is also a valuable assistance in cases where different exemptions apply to different sections of the document or information.”

James Goudie QC

The Court of Appeal has recently handed down an important judgment on the application of the law of confidence in matrimonial proceedings: Tchenguiz & Ors v Imerman [2010] EWCA Civ 908. The background to the case was that an application for ancillary relief had been made by Mrs Tchenguiz Imerman (TI) against her husband, Mr Imerman. Fearing that Mr Imerman may seek to conceal the nature and extent of his assets in the context of the ancillary relief proceedings, one of TI’s brothers, possibly with the help of others, accessed a computer server in an office which Mr Imerman shared with TI’s brothers and then copied information and documents which Mr Imerman had placed on that server relating to his assets. In order to prevent TI relying on the information and the documents in the ancillary relief proceedings, Mr Imerman sought to restrain the defendants from communicating the information and documents which they had obtained to any third party (including TI and her lawyers). He also sought delivery up of all copies of the documents. Eady J granted the orders sought by Mr Imerman. The defendants appealed to the Court of Appeal. The central issue for the Court of Appeal was essentially whether TI should be allowed to use the information and documents in the context of the ancillary relief proceedings, despite the fact that they appeared to have been obtained by the defendants in breach of confidence and, hence, unlawfully.  The case was rendered particularly complex as a result of what is commonly known in matrimonial proceedings as the ‘Hildebrande rules’. Historically, these rules have been applied by the courts in matrimonial ancillary relief proceedings so as generally to allow individuals to rely on evidence as to their spouses’ assets notwithstanding that that evidence has been unlawfully obtained.

In summary, the Court of Appeal held as follows:

·         the information/documents had been unlawfully obtained by the defendants as they had been obtained in breach of confidence (and, further, in breach of Mr Imerman’s right to privacy);

·         it may be that the obtaining of the information/documents had also amounted to: (a) criminal conduct on an application of s. 17 of the Computer Misuse Act 1990; (b) unlawful processing of Mr Imerman’s personal data under s. 4(4) Data Protection Act 1998 (DPA); and, further, (c) a criminal act under s. 55 DPA; although having found that the information/documents were obtained unlawfully in breach of confidence, the Court did not need to reach a concluded view on these issues;

·         the question for the Court was whether it should effectively condone the illegal self-help methods adopts by the defendants simply because it was feared that Mr Imerman may behave unlawfully and conceal that which should be disclosed in the ancillary relief proceedings. The answer to that question was: ‘No’ (see para. 107). As the Court suggested: ‘The tort of trespass to chattels has been known to our law since the Middle Ages and the law of confidence for at least 200 years, yet no hint of any defences of the kind now being suggested is to be found anywhere in the books’ (para. 117). Thus, the Hildebrande rules could not be justified on any grounds;

·         if there were concerns that an individual may seek dishonestly to conceal assets in the context of ancillary relief proceedings, the correct course would be for the spouse to seek to protect her/his position through lawful means, for example by applying to the court for an anton pillar order.

The judgment is important not least because it highlights the essentially inalienable nature of the common law rights to confidentiality and privacy. There is no doubt that the judgment will be controversial, not least because of concerns that it fails to recognise the significant power imbalance which often obtains between spouses in matrimonial proceedings. 

Poole Borough Council suspected that Jenny Paton and her family may have lied about living in the catchment area of a sought-after primary school in Dorset. It therefore monitored their activity for around 3 weeks in 2008. This included covertly monitoring the movements of family members and their car, as well as examining the contents of their rubbish.

The IPT found that:

(1) investigating a potentially fraudulent school application was not a proper purpose in the sense required by RIPA;
(2) in these circumstances, the Council’s actions were in any event disproportionate, in that they were not necessary to achieve that aim, and
(3) the Council’s actions had breached the family’s rights under Article 8 of the ECHR.

Poole Borough Council has accepted the ruling and apologised to Ms Paton and her family.

 First, individuals’ rights should be strengthened by ensuring that they enjoy a high level of protection and maintain control over their data. Individuals need to be well and clearly informed, in a transparent way, by data controllers – be it services providers, search engines or others – about how and by whom their data are collected and processed. They need to know what their rights are if they want to access, rectify or delete their data. And they should be able to actually exercise these rights without excessive constraints.

Secondly, the internal market requires not only that personal data can flow freely from one Member State to another, but also that the fundamental rights of individuals are safeguarded. Provided that all data protection guarantees are in place and properly applied, personal data should freely circulate within the EU and, where necessary and appropriate, be transferred to third countries. This requires a level playing field for all economic operators in different Member States. This is currently not the case: indeed, one of the main concerns expressed by businesses in recent consultations is the lack of harmonisation and the divergences of national measures and practices implementing the 1995 Directive.  Further harmonisation and approximation of data protection rules at EU level is needed.

Thirdly, the current rules on data protection in the area of police cooperation and judicial cooperation in criminal matters should be revised.  Derogations to general data protection principles should be limited. They should not go beyond what is necessary and proportionate in order to pursue objectives of general interest, such as the fight against terrorism and organised crime, or the need to protect the rights and freedoms of others.

Fourthly, personal data must be adequately protected when transferred and processed outside the EU. To that end, the current procedures for international data transfers, including in the areas of police cooperation and judicial cooperation in criminal matters, will be improved, strengthened and streamlined.

Fifthly, EU monitoring of the implementation and enforcement by Member States of the existing rules to guarantee that individuals’ rights are actually respected will be a priority; the role of data protection authorities should be strengthened; and data protection authorities should be provided with the necessary powers and resources to be able to properly exercise their tasks both at national level and when cooperating with each other.

James Goudie QC

In a separate development, the Tribunal recently decided in Thackeray v IC (EA/2010/0088) that an appellant would not be allowed to proceed with his appeal in view of his refusal to provide the Tribunal with a postal address. Mr Thackeray had provided an email address in his notice of appeal but refused to provide a postal address, allegedly because he was concerned that he would face harassment if the address was disclosed. Mr Thackeray argued that provision of an email address was sufficient in order to meet the requirements of rule 22(a) and (c) of the Rules. The Tribunal decided that the notice of appeal would be invalid in the absence of the provision of a postal address. The Tribunal took the view that a postal address was a pre-requisite not least in view of: (a) the fact that parties may want, for reasons of security, to deliver documents directly rather than by email; and (b) a postal address would be required to protect the position of the other parties in the event that costs were awarded against the appellant. Unfortunately, neither of these rulings can at present be found on the Tribunal website.

The Code covers (among other things) application and payment forms, social networking sites, cookies and other personally-targeted marketing. It considers the difficulties of ‘non-obvious identifiers’ (such as IP addresses linked to devices rather than to individuals), cross-border data transfers by multinational or non-domestic organisations, and the practice of outsourcing the storage of databases to other web-based companies.

With the aid of examples from such contexts, the Code turns established principles into specific recommendations for internet businesses, including: avoid collecting personal data too early in the relationship or transaction with the user; only collect personal as far as is necessary; provide a clear explanation of how users’ personal data will be processed; ensure that employees only have access to customers’ personal data where necessary, and that this access withdrawn as soon as their employment ends.

Certain suggestions will be particularly welcomed by privacy campaigners: alert users to the security risks associated with ‘autocomplete’ forms; give users a simple option of declining to have their personal data stored and of disabling cookies or other trackers of their online behaviour, and make it easy for them to contact the data controller about how their personal data is being used.