BIOMETRIC INFORMATION IN SCHOOLS

February 18th, 2011 by Timothy Pitt-Payne QC

In my post yesterday about the Protection of Freedoms Bill I referred to the provisions about biometric information in schools.  I asked why this subject had been singled out for attention in the Bill, and whether there was any evidence that the current situation  was unsatisfactory.

Action on Rights for Children (ARCH) have just posted on their website a very interesting briefing on the subject:  see here.  This is clearly an issue that has been of concern to ARCH for some years, and their paper gives an overview of developments since 2001.  ARCH welcome the proposal to introduce consent into the process of taking children’s biometric data, but suggest that ensuring any consent is valid and informed will present a considerable challenge. 

 

Tags: ,
Posted in Uncategorized | Comments Off

PERSONAL DATA OF WHISTLEBLOWING CIVIL SERVANTS: REDACTION AND FAIRNESS

January 24th, 2011 by Robin Hopkins

Those considering the disclosure of personal data in a civil service context will wish to pay close attention to last week’s decision in Dun v IC and National Audit Office (EA/2010/0060). This is the latest Tribunal exercise in forensic scrutiny of fairness under the “personal information” exemption at section 40 (applied in tandem with the first data protection principle under the DPA).

The disputed information concerned the NAO’s enquiry into the Foreign & Commonwealth Office’s handling of employee grievances of a whistleblowing variety, i.e. those in which the employee had raised concerns as to “the proper conduct of public interest, fraud, value for money and corruption in relation to the provision of centrally-funded public services”. The request for information was triggered by the FCO’s inadvertent publication on its intranet of a “track changes” version of the draft report sent to it by the NAO: this tended to suggest that the FCO had sought not only to correct points of fact in that draft report, but also to influence its conclusions.

Unfairness of grievance and investigation information was pleaded based largely on the expectations of the complainants that their personal data would not be disclosed, and on the distress of their potentially being perceived as “trouble makers”.

A number of categories of arguably personal data were examined: junior civil servants’ names (outcome: don’t disclose), junior civil servants’ roles or job titles (outcome: disclose), contact details (outcome: don’t disclose, except for that part of an email address containing the name of a person whose name was otherwise to be disclosed), details of complaints and criticisms of employees (outcome: disclose in sufficiently redacted form).

The issue of redaction turned on whether disclosure in redacted form would preserve anonymity or achieve fairness – the NAO and IC had said no, but the Tribunal disagreed. It found that disclosure of whistleblowing case information in redacted form would be fair where (i) only those involved would be able to identify the persons being referred to, and (ii) those involved would not learn anything from the disclosed material which they did not know already.

This case is another instance of the established position that disclosure of the names of senior civil servants (here Grade 5 or above) will generally be fair, whereas those of their more junior colleagues would not. A note of caution here, however: the Tribunal was clear that no blanket policy should apply, and that fairness depends on the particular responsibilities and information with which the case is concerned.

One interesting aside: what of a civil servant who was junior at the time the information was created, but has since been promoted? Generally, subsequent events should not make a difference, but not necessarily: the Tribunal observed that it could “envisage a scenario where it is fair to disclose an earlier document in order to refute protestations of ignorance from the same individual who later becomes more senior and accountable”.

Tags: ,
Posted in INFORMATION LAW | Comments Off

SCOTTISH GOVERNMENT ISSUES PRIVACY GUIDANCE

January 5th, 2011 by Robin Hopkins

The Scottish Government has published its guidance document on Identity Management and Privacy Principles. The guidance is aimed at both public sector policy makers and with those involved in devising or operating systems for proving or recording identity. Key principles include:

  • For services which are used frequently and for which identification is needed, users should be required to register only once. Thereafter, unless there is a statutory requirement to prove identity, a person should generally be able to access the service by authenticating themselves using a token (such as a bus pass or library card) that proves their entitlement without revealing personal information. In other circumstances, a user name and a password may be required.
  • A Privacy Impact Assessment (PIA) or proportionate equivalent should be conducted and published prior to the implementation of a project which involves the collection of personal information.
  • Where a public body has a contract with the private sector or the third sector, the contractor must be contractually bound to adhere to best practice as outlined in the guidance.
  • The creation of centralised databases of personal information is to be avoided.
  • If a public service organisation needs to link personal information from different systems and databases (internally or between organisations), it should avoid sharing persistent identifiers. Instead, other mechanisms – such as matching – should be considered.

Tags: , , ,
Posted in INFORMATION LAW | Comments Off

WISE MEN, ANGELS AND SHEPHERDS

December 8th, 2010 by Rachel Kamm

The Information Commissioner has produced a Good Practice Note on the taking of photographs in schools. The ICO press notice gives a seasonal example: “Having a child perform at a school play or a festive concert is a very proud moment for parents and is understandably a memory that many want to capture on camera. It is disappointing to hear that the myth that such photos are forbidden by the Data Protection Act still prevails in some schools. A common sense approach is needed – clearly, photographs simply taken for a family album are exempt from data protection laws. Armed with our guidance, parents should feel free to snap away this Christmas and stand ready to challenge any schools or councils that say ‘Bah, Humbug’ to a bit of festive fun.” The guidance states that the Data Protection Act is unlikely to apply in most situations where photographs are taken by parents in schools, although it does apply when photographs of children are taken for official use by a school or college (such as for issuing identification passes). The ICO advises that in the other small number of instances where the Data Protection Act 1998 does apply, it will usually be sufficient for the photographer to obtain permission from the parent or individual to take a photograph. The guidance is available here: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/taking_photos.pdf.

 This post is also available on 11KBW’s education law blog: http://www.education11kbw.com/.

Tags:
Posted in INFORMATION LAW | Comments Off

BACKDOOR ATTEMPT TO OBTAIN IRAQ WAR CABINET MINUTES FAILS

December 2nd, 2010 by Robin Hopkins

The minutes of the Cabinet meetings at which it was decided to go to war in Iraq have resurfaced for consideration by the Tribunal. First time round, the Tribunal agreed with the Commissioner that the minutes should be released, but the final word went to Jack Straw, by means of a ministerial veto – which was not subject to a judicial review challenge – issued under section 53 FOIA.

The requester in that case subsequently sought a backdoor route to the minutes, by requesting them under FOIA from the ICO itself. He also sought “background papers which show the processes of thought behind the Information Commissioner’s conclusion that the Cabinet minutes in question should be disclosed”. The ICO did not hold the minutes themselves, but it did hold some handwritten notes made by the then Commissioner, Richard Thomas, and by an ICO caseworker when visiting the Cabinet Office to inspect the minutes. It also held a confidential annex to the Decision Notice, which fell within the veto. All of these he refused to disclose.

The usual FOIA complaints and appeals process ensued, with the Commissioner issuing a decision notice in respect of his own refusal, and then defending that notice before the Tribunal in Lamb v IC (EA/2009/0108).

The basis of the refusal was section 44 FOIA, which provides that information is exempt if its disclosure is “prohibited by or under any enactment”. The Commissioner relied for the latter on section 59 of the DPA, which says that the Commissioner may not disclose information he obtained under the auspices of the Act “unless the disclosure is made with lawful authority”, which arises where “having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”.

As the Tribunal accepted, this is a much higher threshold than the usual public interest test under FOIA: under section 59, there is effectively a presumption against disclosure.

The Tribunal was satisfied that this information was “obtained from” the Cabinet Office, notwithstanding the Appellant’s challenge on that point.

It also agreed with the Commissioner’s application of section 59. Much of the Appellant’s argument turned on the importance of the material he sought. This, said the Tribunal, overlooked the point that the Commissioner had already decided in the Appellant’s favour concerning the Cabinet minutes which he sought. The Tribunal also commented that:

“It is no part of the freedom of information regime to provide a mechanism by which a party who prosecuted a successful complaint to the Information Commissioner in the past may have his or her winning margin reassessed in the light of events subsequent to the date of the original victory”.

The Tribunal did not comment on whether the mere existence of the veto gave rise to the engagement or effectiveness of section 59. Nor did it speculate as to the circumstances in which reliance on section 59 could be defeated – although the wording of that section clearly envisaged this prospect.

Tags: , , , ,
Posted in INFORMATION LAW, Uncategorized | Comments Off

COMMISSIONER HANDS DOWN FIRST MONETARY PENALTIES FOR DPA BREACHES

November 24th, 2010 by Robin Hopkins

Up to now, the Commissioner has not exercised his powers under sections 55A-E of the Data Protection Act 1998 to impose monetary penalties on data controllers for breaches of the Act. Today, he imposed his first two financial penalties.

Hertfordshire County Council has been handed a penalty of £100,000 for twice sending faxes containing sensitive personal data to members of the public in error. The first fax, which is the subject of an injunction preventing further details being disclosed, was intended for a barrister but sent to a member of the public. The second fax, which concerned child protection matters, was intended for a County Court. The errors both occurred in June 2010, and were both reported to the Commissioner by the Council itself.

Secondly, the employment services company A4e has been fined £60,000 after an unencrypted laptop containing personal details of 24,000 users of community law centres was stolen from an employee’s home. This too was reported to the Commissioner by A4e itself.

Tags: ,
Posted in INFORMATION LAW | Comments Off

DISCLOSING DATA FOR PURPOSES OF MEDICAL RESEARCH – NEW ECHR JUDGMENT

November 23rd, 2010 by Anya Proops

Many readers of this blog will be familiar with the stringent protections which the Data Protection Act 1998 (DPA) affords in respect of personal health data (see further the definition of ‘sensitive personal data’ in s. 2 DPA). Thus, for example, if a data controller wishes to avoid contravening the first data protection principle (the fair and lawful processing principle) as and when it is processing health data, it must ensure that: (a) the particular processing is fair and lawful; (b) that it meets one of the conditions provided for in schedule 2 to the DPA and (c) that it meets one of the very narrowly drawn conditions provided for in schedule 3 to the DPA. If the processing is intended to serve the interests of medical research, the data controller will doubtless wish to look in particular at the condition provided for in paragraph 8 of schedule 3. That condition stipulates that the processing must be ‘necessary for medical purposes’ (which includes the purposes of medical research) and be undertaken either be ‘a health processional’ or ‘a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if the person were a health professional’. Of course, the principle which underpins this particular condition is that it is very much in the public interest that, subject to the test of necessity, health data be shared by medical researchers. A recent judgment of the European Court of Human Rights (ECHR) has highlighted the importance of this particular public interest: Gillberg v Sweden (application no. 41723/06).

In Gillberg, two researchers requested access to health data which had been accumulated by Professor Gillberg as part of a long-term project on hypheractivity and attention deficit disorders in children which he was running out of the University of Gothenburg in Sweden. The University refused access on the basis that assurances had been given to the parents of the children and later the children themselves concerning the confidentiality of the data. The researchers challenged the University’s decision relying on Sweden’s long-established and generous rules on access to official documents. The Swedish administrative court upheld the researchers’ claim and ordered that the University disclose the data to them, subject to the imposition of strict conditions on their handling and use of the data. In reaching the conclusion that the data should be disclosed to the researchers, the Swedish court took into account not least the public interest in ensuring the independent and critical evaluation of medical research in the important field of neuropsychiatry. The data was subsequently destroyed by certain of Professor Gillberg’s colleagues. Thereafter, Professor Gillberg was convicted of misuse of office by the Swedish Parliamentary Ombudsman. Having lost his appeals against conviction in the national courts, Professor Gillberg took his case to the ECHR claiming that the conviction breached his Article 8 and 10 rights, particularly in view of the assurances of confidentiality which he had given to the data subjects and their parents. The ECHR dismissed Professor Gillberg’s appeal. It found that, even if the conviction interfered with Professor Gillberg’s Article 8 right to privacy (i.e. his right to privacy in the context of his professional affairs), that interference was justified in the circumstances. It also found that there was no interference with Professor Gillberg’s Article 10 right to freedom of expression as he was convicted not for giving assurances of confidentiality but rather because he misused his office in response to the judgments of the court.

The ECHR’s judgment is interesting not least because it confirms that, at least for the purposes of human rights jurisprudence, the fact that promises of confidentiality have been given to individual patients/research subjects does not create an automatic bar on disclosures which may breach those promises, particularly where the disclosures serve important public interests such as the interests in protecting the integrity and progress of medical research. Query whether the same result would have obtained on an application of the principles embodied in the DPA, particularly in view of the relatively permissive approach to disclosures for the purposes of medical research contained in paragraph 8 of schedule 3.

Tags: , , ,
Posted in Uncategorized | Comments Off

ICO SIGNS UNDERTAKING WITH GOOGLE AND DEFENDS ITS STANCE

November 22nd, 2010 by Robin Hopkins

I reported in a recent post that the Information Commissioner had instructed Google to sign an undertaking aimed at any repeat of the breaches of the Data Protection Act 1998 committed during Google’s information-gathering for its Street View feature. That undetaking has now been signed, and a copy can be viewed here. It requires Google engineers to maintain a “privacy design document” for each new Google project prior to launch. It provides for further training and data protection awareness for Google engineers and other employees. The undertaking also assures the deletion of all personal data which had been gathered unlawfully, and provides for the Commissioner to audit Google’s revamped data protection procedures nine months from now. Interestingly, the undertaking applies to Google’s global activities and not just its UK ones.

The ICO has come under fire for being soft on Google. The Commissioner, Christopher Graham, has defended his stance, including in an interview with the Daily Telegraph which can be found here. In that interview, the Commissioner remarks that “a lot of people out there want somebody – probably not me – to be the privacy tsar. But that’s not what the Information Commissioner is”. Recent indications suggest, however, that the ICO could potentially take on a “privacy tsar” role – see the recommendations from its recent surveillance report, summarised here.

Tags: , ,
Posted in INFORMATION LAW | Comments Off

Application of the first data protection principle

November 19th, 2010 by Edward Capewell

Ms Alison Ince worked in a further education institute in Northern Ireland. She was dismissed from her employment in June 1999 and, from around 2002, had alleged on a number of occasions that her managers had been engaged in a fairly widespread fraud against the public purse in 1997. These allegations were investigated first by the Department for Education and Learning (DEL), and then by the Police Service of Northern Ireland. No criminal or disciplinary charges were brought and the investigation was not taken any further. Ms Ince had also raised the matter with her local MLA, with the chairman of the public accounts committee in Westminster and before an Industrial Tribunal (as they are still called in Northern Ireland). The IT held that there were no grounds for finding that any fraud had been committed.

Ms Ince was not satisfied with this finding. In October 2007 she made a request for information from the DEL with respect to her allegations of fraud at the institute. The information she sought included the transcripts of certain interviews held with other employees during the fraud investigation by the DEL. DEL provided some of the information, but withheld the transcripts pursuant to the personal data exemption in section 40(2) FOIA. The Information Commissioner agreed with DEL’s reliance on the exemption.

The Information Tribunal in Ince v Information Commissioner (EA/2010/0089) agreed – for the most part – with the Commissioner’s decision. Save in respect of one of the transcripts – that belonging to a friend of Ms Ince who gave evidence at a late stage in the hearing in which he consented to disclosure – the Tribunal found that it would not be fair for DEL to disclose the information and that disclosure would therefore breach the first data protection principle. Ms Ince had made four contentions in respect of the information:

(i)                  That because it related to the individual’s employment for a public sector organisation it related to their public, not private life;

(ii)                That no harm or distress would have been caused to the individuals by disclosure of the transcripts;

(iii)               That the interviewees’ objections to disclosure were outweighed by other considerations; and

(iv)              That the interviewees did not have a reasonable expectation of privacy in respect of the transcripts

The Tribunal disagreed on all counts. As to (i), following the reasoning in Corporate Officer of the House of Commons v IC and Baker it unanimously rejected the notion that anything said or done by a public sector employee was public information and could therefore be disclosed. It found by a majority that “the disputed information in the case related to the individual’s employment but was not information so directly connected with their public role that its disclosure would automatically be fair”. As to (ii), the Tribunal found that harm or distress would be caused by disclosure generally, and would also be caused by Ms Ince’s own ‘disproportionate’ method of pursuing her allegations –  which included threatening to bring private prosecutions for fraud against certain individuals. The Tribunal further considered that the Commissioner had given appropriate weight to the interviewees’ clearly expressed objections, and that they also had a reasonable expectation of privacy in respect of the transcripts. There was moreover no common law public interest in disclosure – fraud in the education sector generally was obviously of legitimate concern, but would not be helped by disclosure of the information sought by Ms Ince.

Tags: , ,
Posted in Uncategorized | Comments Off

ICO’S SURVEILLANCE REPORT 2010: ‘SLEEPWALKING’ RISK REMAINS; ‘PRIVACY IMPACT ASSESSMENTS’ PROPOSED FOR NEW LEGISLATION

November 15th, 2010 by Robin Hopkins

The Information Commissioner has delivered his latest report to the Home Affairs Select Committee on “the state of surveillance” in the UK. The report traces privacy-related developments since the Commissioner’s 2006 report on the same theme, which memorably observed that the UK may be “sleepwalking into a surveillance society”. According to the November 2010 report, that warning

 “… is no less cogent in 2010 than it was several years ago. It is not being suggested that the UK is a ‘police state’ or that there are surveillance conspiracies afoot against the public. Neither the 2006 report nor this one supports such an assumption, and evidence for it is lacking. Much of what is taken to be surveillance is done for benign reasons and has beneficial effects on individuals and society. But much surveillance also goes beyond the limits of what is tolerable in a society based on the rule of law and human rights, one of which is the right to privacy.”

The report provides an illuminating summary of trends in (amongst others) the use of CCTV, body scanning and border control (including ‘ethnic targeting’ for security searches), workplace monitoring, social networking, ‘crowdsourcing’, the monitoring of protest activities and even the use of unmanned drones. Scrutiny is also given to a number of governmental policy tools, such as databases and the use of ‘social sorting’ (eg into groups such as ‘high cost, high risk’ social groups who are vulnerable to social exclusion’) to develop targeted welfare strategies.

As regards private-sector online commerce, the Commissioner recommends a number of measures to correct what he describes as the “worrying trend particularly with those who provide on-line services not to have thought through the privacy implications of their activities and given users robust privacy settings as a default”.

What to do about the risks identified in the report? The ICO’s recommendations focus principally on overhauling the legislative process insofar as it affects privacy, by introducing: 

  • a requirement for a privacy impact assessment to be presented during the parliamentary process where legislative measures have a particular impact on privacy;
  • an opportunity for the Information Commissioner to provide a reasoned opinion to Parliament on measures that engage concerns within his areas of competence, and
  • a legal requirement to make sure all new laws that engage significant privacy concerns undergo post-legislative scrutiny to ensure they are being implemented and used as intended by Parliament.

If implemented, these measures would add substantially to the ICO’s clout as the guardian of privacy.

The report can be found here, with the accompanying press release from the ICO here.

Tags: , , , , , , , , ,
Posted in INFORMATION LAW | Comments Off

« Older Entries
Newer Entries »