Data Protection | Panopticon Blog

THE PERSONAL IS POLITICAL - ACCESSING NICK GRIFFIN TRIAL RECORDS UNDER FOIA

January 23rd, 2010 by Anya Proops

The Guardian reports today that the CPS has refused a request for disclosure of its records of the 1998 race-hate trial of Nick Griffin. In the year before he was elected leader of the BNP, Mr Griffin was given a suspended prison sentence after being convicted of an offence under the Public Order Act 1986. The prosecution case centred on a magazine edited by Mr Griffin in which he dismissed the Holocaust as a hoax. The Guardian’s article indicates that the paper requested disclosure of the CPS’s records of the trial in circumstances where no transcript had been made of the hearing. It would appear that the request was refused by the CPS under s. 40 FOIA (the personal data exemption) and, in particular, on the basis that a large proportion of the requested information was ‘sensitive personal data’ as it related to the commission of an offence and Mr Griffin’s political opinions (see section 2 of the Data Protection Act 1998). It would appear that the Guardian will now lodge a complaint with the Information Commissioner. For an example of how the Information Tribunal applied s. 40 FOIA to a request for disclosure of personal data about individuals who had been made subject to ASBOs see further Camden v IC EA/2007/21

Tags: data protection, FOIA, section 40 FOIA
Posted in Uncategorized | Comments Off

CONFIDENTIAL INFORMATION IN THE TRIBUNAL

January 22nd, 2010 by Timothy Pitt-Payne

The Tribunal has issued a Practice Note dated 18th January 2010, dealing with the protection of confidential information under the new rules of procedure.

The Note needs to be read in conjunction with the new rules of procedure (discussed in our earlier post here). The relevant rules are set out in the Tribunal Procedure (First-tier Tribunal)(General Regulatory Chamber) Rules 2009 (SI 2009/1976) as modified by the Tribunal Procedure (Amendment) Rules 2010 (SI 2010/43).

The Practice Note indicates that the Tribunal will maintain its previous practice, that disputed information (i.e. the information sought by a requester but withheld by a public authority) will not usually be disclosed to the requester in the course of appeal proceedings before the Tribunal. This may mean that a party is excluded from part of the Tribunal hearing. The Practice Note refers to rule 35 of the new Rules as providing a basis for exclusion.

The Practice Note also includes guidance about the format of witness statements (see paragraph 22) and the contents of bundles (see paragraph 25).

Tags: data protection, FOIA, Information Tribunal
Posted in Uncategorized | Comments Off

HOW BUSY IS THE TRIBUNAL?

January 22nd, 2010 by Timothy Pitt-Payne

The First-tier Tribunal (Information Rights) - as we must now learn to call it - has recently published on its website a list of its current cases (updated to 20th January 2010). This gives an interesting insight into the volume and type of work reaching the Tribunal.

Cases are numbered by year of receipt, and in the order that they are received: for instance, EA/2009/100 is the 100th case received in 2009. This means that the case numbering system indicates how many appeals were received in a particular calendar year. On this basis, the Tribunal seems to have received 123 cases in 2009, and 30 (so far) in 2010; which suggests a sudden sharp increase in its workload.

The list shows 102 live cases. Of these, only one is identified as a Data Protection Act case. 11 cases are identified as involving the Environmental Information Regulations. All of the other appeals (90 cases) are brought solely under the Freedom of Information Act.

As the figures suggest, free-standing DPA cases before the Tribunal are rare. There are also few DPA cases that reach the ordinary courts. But many FOIA cases involve DPA issues. So a significant volume of DPA case-law is being generated by the Tribunal; but most of this is in the context of FOIA, and in particular the data protection exemption in FOIA section 40.

Tags: data protection, First-tier tribunal, FOIA, Information Tribunal
Posted in Uncategorized | Comments Off

EMPLOYMENT BLACKLISTING - AN UPDATE

January 19th, 2010 by Timothy Pitt-Payne

We have previously blogged about this subject at some length: see in particular this post in November last year.

A draft statutory instrument, under section 3 of the Employment Relations Act 1999, is now available here on the OPSI website. The draft regulations are intended outlaw the compilation, dissemination and use of blacklists of trade unionists in the employment context.

Tags: data protection, employment vetting
Posted in Uncategorized | Comments Off

Demystifying Data Protection

November 27th, 2009 by Timothy Pitt-Payne

The Information Commissioner’s Office has just launched a Guide to Data Protection, available on the ICO website. At the heart of the guidance is a detailed commentary on each of the Data Protection Principles, and on the conditions for processing set out in Schedule 2 and 3 of the Act.

The Data Protection Act 1998 is, notoriously, not user-friendly. One of the problems is that so much of its central content is tucked away in the Schedules: for instance, you have to get as far as Schedule 7, paragraph 10 before you find out that there is an exemption to the right of subject access where information is protected by legal professional privilege. So assistance in navigating the legislation is very welcome.

On a first glance, the ICO Guide looks as if it will be of real help - clearly written, comprehensive, but not unduly lengthy. It will also be useful to those wanting to know how the ICO itself might interpret and enforce the Act.

Tags: data protection, ICO powers
Posted in Uncategorized | Comments Off

This I can do at home

November 23rd, 2009 by Timothy Pitt-Payne

The last Queen’s speech before the election includes another proposal for databases about children; this time, in relation to children who are being home educated.

The background is that in January 2009 the Department for Children, Schools and Families (DCSF) commissioned Graham Badman to carry out a review of the current system for supporting and monitoring home education. The report (available here) was published in June 2009. Its first recommendation was that the DCSF should establish a national registration scheme, locally administered, for all children of statutory school age who are, or become, home educated.

On 11th June the Government launched a consultation about registration and monitoring proposals for home education. Unfortunately I cannot link to the consultation document itself, as it is currently unavailable on the DCSF website. The key proposals in the consultation document were these.

2.1 Register of home educated children

The review recommends that DCSF establishes a national registration scheme, locally administered, for all children of statutory school age who are, or become, electively home educated. The scheme described in the review is one where education and safeguarding issues are both considered as part of the registration process, with an initial statement of educational intent forming the basis for subsequent educational monitoring arrangements. The review response acknowledges that ultimately the scheme would need to be underpinned by guidance and training for local authority staff in order to work effectively. We accept that it will take time to put the full scheme in place particularly where more work is needed to provide more comprehensive guidance on the practical interpretation of ‘efficient’ and ‘suitable’.

2.2 Registration would be granted automatically unless there were safeguarding concerns (see next section): if at any time a LA became dissatisfied with the quality of home education provided to a child, it would - as now - serve a school attendance order.

2.3 We propose to legislate now for registration and monitoring arrangements that will focus on safeguarding but should also improve the quality of education. They will have the following features:
• Every home educated child of compulsory school age must be registered with the local authority in which the child is resident;
• Regulations will specify the information that parents must provide which is likely to be child’s name, date of birth, address, the same information for adults with parental responsibility; a statement of approach to education, and the location where education is conducted if not the home;
• Scope to extend the scheme to 18 in future;
• Regulations will specify how registration should take place;
• Any changes to registration details should be notified immediately;
• Registration must be renewed annually;
• It will be a criminal offence to fail to register or to provide inadequate or false information;
• Pupils should stay on the school roll for 20 days after a notification to home educate;
• The school must provide the local authority with a record of achievement to date and predicted future attainment;
• DCSF will take powers to issue statutory guidance relating to registration and monitoring.

2.4 Safeguarding

The review recommends that local authorities should have a discretion to refuse registration where there are safeguarding concerns. In addition, if safeguarding concerns are identified after home education has begun, the LA would have powers to revoke registration. Each case would need to be considered on its merits, balancing the rights of parents to home educate, and the rights of children to receive a suitable education in a safe environment.

2.5 Monitoring arrangements

Local authorities tell us that they need greater powers to ensure that home educated children are safe, well, and receiving a suitable education. The current arrangements allow parents to submit evidence that a ‘suitable education’ is being provided, which could be mainly written evidence. Local authorities have no powers to interview home educated children to establish that sample material provided is representative of their work, nor to establish that they are safe and well.

2.6 We believe that local authorities should interview children within 4 weeks of home education starting, after 6 months has elapsed, and thereafter at least annually to assess the quality of education provided and ensure that children are safe and well. The local authority should visit the premises where education is conducted, and question the child about the education provided, although at least 2 weeks notice should be given before the visit is conducted. The local authority should have the right to carry out the interview without a parent being present, if this is judged appropriate, or alternatively if the child is vulnerable or has particular communication needs, in the company of a trusted person who is not the home educator or parent/carer.

The consultation closed on 19th October, and as yet there has been no Government response to it. The Queen’s Speech nevertheless includes a proposal for a Children, Schools and Families Bill, one element of which is to be a new home educators’ registration system. For the full text of the proposed Bill, see here. The provisions about home education are in Schedule 1 to the Bill, and consist of proposed amendments to the Education Act 1996. New section 19A(1) of the 1996 Act will require each local authority to maintain a register of home-educated children. Regulations will make provision for how parents can apply to have their children included in the register. The local authority must refuse registration if they consider that it would be harmful to child’s welfare for the child to become, or remain, a home-educated child. It seems that if registration is refused, and the child is not sent to school, then the likely consequence will be a school attendance order: see the proposed amendments to section 437 of the 1996 Act. Under new section 19H of the 1996 Act, regulations can be made requiring other local authorities, and schools, to share information with a local authority for the purposes of that authority’s home education functions.

There are four points to make about this. One is that the proposed registers are, in substance, a mechanism for parents to seek advance permission from their local authority before home schooling their children. Failure to register will not in itself be a criminal offence, but may lead to a school attendance order; and failure to comply with that order may be a criminal offence. Secondly, exactly what information is to be included in each register is unclear, and will be set out in regulations; but it may well be that the registers will include information about each child’s prospective home education, as well as basic personal details such as name and address. Thirdly, it is unclear as yet who will have access to these registers, and for what purpose. And fourthly, there are to be specific information-sharing provisions in connection with home education.

Tags: data protection, database, education, international information sharing
Posted in Uncategorized | Comments Off

Banned Aid

November 21st, 2009 by Timothy Pitt-Payne

In March this year the Information Commissioner took enforcement action against the Consulting Association, which had been operating a secret blacklist of employees in the construction industry, including details of trade union activity. We posted about this story here, earlier this year.

Today, the Guardian has extensive coverage of what has happened since.

The Department for Business, Enterprise and Regulatory Reform has now consulted on draft regulations under section 3 of the Employment Relations Act 1999. The consultation ended on 18th August 2009. The proposed regulations are intended to outlaw the compilation, dissemination and use of blacklists of trade unionists. They would make it unlawful to refuse employment, or to dismiss employees or subject them to a detriment, for reasons related to a prohibited blacklist. Individuals who suffer loss through blacklisting would be able to bring claims either in the Employment Tribunal or in the civil courts, depending on the nature of their complaint.

The trade union UCATT commissioned a report from the Institute of Employment Rights about the proposed regulations. The report, by Professor Keith Ewing, was published on 15th September 2009: it is entitled “Ruined Lives”, and deals specifically with blacklisting in the construction industry. It includes sample material from Consulting Association files. The report gives a fascinating history of the practice of blacklisting, going back to the late 19th century. It suggests a number of changes to the draft Regulations, including: that keeping or using a blacklist, or supplying information to it, should be a criminal offence; and that there should be a right to compensation for the fact of being included on a blacklist, even if the inclusion does not lead to any loss.

A further point to note about the draft Regulations is that they deal specifically with the blacklisting of trade unionists (as does section 3 of the 1999 Act). So they would not assist individuals who had been blacklisted for other reasons; e.g. because of their political beliefs and affiliations, or because they have a history of raising concerns about health and safety issues.

A number of individuals have brought employment tribunal claims arising out of alleged blacklisting. The claims have been consolidated and there will be a case management discussion in Manchester ET on 24th November 2009. This blog gives further information.

Meanwhile the Information Commissioner’s Office (ICO) has taken control of the Consulting Association database. Individuals who think that they may have been blacklisted can contact the ICO; for more information, see this page of the ICO’s website.

Tags: data protection, employment vetting, ICO powers, surveillance
Posted in Uncategorized | Comments Off

Home Office publishes response to its consultation on communications data

November 16th, 2009 by Robin Hopkins

The Home Office has published a summary of responses to its April 2009 consultation paper on ‘communications data’, i.e. information about a communication that does not include the content of the communication itself. At present, such data is owned by communications service providers and accessed by certain public authorities under disparate statutory powers for the purposes of combating, for example, fraud, terrorism and other serious crime. The government is considering an overhaul so as to bring all communication types (such as web chat) and all relevant service providers (some of whose contractual positions place them beyond the current statutory arrangements) within the system.

The attendant tension between individual liberty and public protection is reflected in the 221 responses to this consultation.

A substantial minority of respondents objected in principle to any ‘surveillance’ of communications. A majority (albeit a fairly narrow one) agreed that communications data served an important public purpose and that the government should therefore act to maintain the capability of public authorities to make use of this type of information.

As to what form this action should take, only one element of the government’s proposed approach was widely welcomed, namely its rejection of a central database for holding all data of this type. Reservations were otherwise expressed about technological feasibility, data security and the proportionality of public authorities’ use of communications data.

Nonetheless, such reservations were not deemed forceful or widespread enough to deter the government from its proposed course. A number of respondents’ suggestions have been rejected, including the specifying of categories of data which should not be retained, and the requirement for a magistrate’s authorisation before communications data can be accessed.

The government is also satisfied that the DPA 1998 and RIPA 2000 provide sufficient safeguards against abuse of such data. A legislative review is, however, proposed, to see if a single means of authorised access (through RIPA 2000) would be practicable. Fresh or consolidating legislation appears likely.

Tags: consultation, data protection, data security, data sharing, database, public authorities, surveillance
Posted in INFORMATION LAW | Comments Off

Civil penalty notices: consultation

November 12th, 2009 by Ben Hooper

When the new monetary penalties regime under sections 55A-E of the DPA comes fully into force, the Information Commissioner will have power to impose a civil penalty on a data controller for a serious contravention of any of the data protection principles if - in essence - the contravention is (1) deliberate or reckless and (2) of a kind likely to cause substantial damage or distress.

The Ministry of Justice is currently consulting on what the maximum penalty under section 55A should be. £500,000 is proposed. Whilst this is clearly not an insubstantial sum, it needs to be compared with the fact that many other regulators have power to impose a penalty of up to 10% of an organisation’s turnover. If the data controller at issue has a turnover that is significantly above £5m, and - for example - a serious contravention has caused damage or distress to a very large number of people, the maximum penalty of £500,000 may begin to look a little on the small side. Indeed, the Commissioner may not even be able to go that far: the ICO’s draft guidance on the monetary penalty powers indicates at paragraph 7.4 that swift payment of the penalty will lead to a 20% reduction. So a data controller that decides not to contest the penalty may end up only paying a maximum of £400,000.

One final point. The penalties are to be paid into the consolidated fund (section 55A(8)). Thus, where the data controller is a central government body, the imposition of any size of penalty will have a slightly unreal quality to it, as the sum involved will simply return to the financial pot from which the body in question drew its funding in the first place.

Tags: data protection, ICO powers
Posted in Uncategorized | Comments Off

WHEN WILL THEY EVER LEARN?

November 10th, 2009 by Timothy Pitt-Payne

We call them “data protection duck outs”. The New Zealanders call them “BOTPAs” (standing for “Because of the Privacy Act”). Organisations do something silly, and then blame it on data protection legislation.

There’s a nice recent example. A parcel was addressed to a 9 day old baby. Initially the Royal Mail wouldn’t deliver it to her grandfather, apparently because the Data Protection Act required the baby to sign for it personally. Not surprisingly, the ICO has confirmed that the Act does not require anything of the kind.

Tags: data protection, data protection duck out, ICO powers
Posted in Uncategorized | Comments Off

Links

Archives

Email Subscribe

Disclaimer