Retention and disclosure of police caution data infringe Article 8

November 14th, 2012 by Charles Bourne

The European Court of Human Rights yesterday handed down a Chamber judgment in M.M. v United Kingdom (Application no. 24029/07) declaring that the arrangements for the indefinite retention of data relating to a person’s caution in a criminal matter and for the disclosure of such data in criminal record checks infringe Article 8 of the ECHR. Although the Court recognised that there might be a need for a comprehensive record of data relating to criminal matters, the indiscriminate and open-ended collection of criminal record data was unlikely to comply with Article 8 in the absence of clear and detailed statutory regulations clarifying the safeguards applicable and governing the use and disposal of such data, particularly bearing in mind the amount and sensitivity of the data. 

The case arose from a family dispute in Northern Ireland in the course of which the applicant, a grandmother, took her grandson away from his parents for two days before returning him unharmed. This resulted in her receiving a caution for child abduction in November 2000. In 2003 the police advised her that her caution would remain on record for only five years, i.e. until 2005. However, following the Soham murders and the Bichard report, there was a change of policy whereby any convictions and cautions where the victim was a child would be kept on record for the offender’s lifetime. 

Until 1 April 2008, requests for disclosure of criminal record data in Northern Ireland were made on a consensual basis. Disclosure took place in accordance with well-established common law powers of the police. Provisions of the Police Act 1997, introduced in England and Wales in 2006, were applied to Northern Ireland in 2008. Section 113A required a criminal record certificate to be issued on request and payment of a fee, to include details of all cautions and convictions whether spent or not, if the request was for stated purposes including that of assessing the suitability of persons to work with children and vulnerable adults.

Disclosure of the applicant’s caution caused her to be turned down for jobs as a family support worker in the social care field. She complained that the indefinite retention and disclosure of the caution data infringed her ECHR rights.

The Court noted that both the storing of information relating to an individual’s private life and the release of such information come within the scope of Article 8 § 1. The question was whether the police records contained data relating to the applicant’s “private life” and, if so, whether there had been an interference with her right to respect for private life. The data was both “personal data” and “sensitive personal data” within the meaning of the Data Protection Act 1998 and “personal data” in a special category under the Council of Europe’s Data Protection Convention. Although a person’s criminal record was public information, systematic storing of data in central records made them available for disclosure long after the event. As a conviction or caution receded into the past, it became a part of the person’s private life which had to be respected. The applicant’s voluntary disclosure of the caution to her prospective employer did not deprive her of the protection afforded by the Convention where employers were legally entitled to insist on disclosure. Thus Article 8 applied, and the retention and disclosure of the caution amounted to an interference.

To decide whether the interference could be justified under Article 8 § 2, the Court considered the legislation and policy applicable at the relevant time and since. It highlighted the absence of a clear legislative framework for the collection and storage of data and the lack of clarity as to the scope, extent and restrictions of what in Northern Ireland were originally common law powers of the police to retain and disclose caution data. There was also no mechanism for independent review of a decision to retain or disclose data. The provisions of the Police Act 1997 which came into force in Northern Ireland on 1 April 2008 created some limited filtering arrangements in respect of disclosures. However, in providing for mandatory disclosure under section 113A, no distinction was made on the basis of the nature of the offence, the disposal in the case, the time which had elapsed since the offence or the relevance of the data to the employment sought.

 The Court decided that the cumulative effect of these matters was an insufficiency of safeguards in the system to ensure that data relating to the applicant’s private life had not been, and would not be, disclosed in violation of her right to respect for her private life, and therefore the retention and disclosure of data was not “in accordance with the law” for the purpose of Article 8 § 2. The Court therefore did not go on to determine whether the interference was “necessary in a democratic society” for one of the stated aims, or whether there had been any infringement of Articles 6 and 7.

 Charles Bourne

 

SCOTTISH GOVERNMENT ISSUES PRIVACY GUIDANCE

January 5th, 2011 by Robin Hopkins

The Scottish Government has published its guidance document on Identity Management and Privacy Principles. The guidance is aimed at both public sector policy makers and with those involved in devising or operating systems for proving or recording identity. Key principles include:

  • For services which are used frequently and for which identification is needed, users should be required to register only once. Thereafter, unless there is a statutory requirement to prove identity, a person should generally be able to access the service by authenticating themselves using a token (such as a bus pass or library card) that proves their entitlement without revealing personal information. In other circumstances, a user name and a password may be required.
  • A Privacy Impact Assessment (PIA) or proportionate equivalent should be conducted and published prior to the implementation of a project which involves the collection of personal information.
  • Where a public body has a contract with the private sector or the third sector, the contractor must be contractually bound to adhere to best practice as outlined in the guidance.
  • The creation of centralised databases of personal information is to be avoided.
  • If a public service organisation needs to link personal information from different systems and databases (internally or between organisations), it should avoid sharing persistent identifiers. Instead, other mechanisms – such as matching – should be considered.

ICO’S SURVEILLANCE REPORT 2010: ‘SLEEPWALKING’ RISK REMAINS; ‘PRIVACY IMPACT ASSESSMENTS’ PROPOSED FOR NEW LEGISLATION

November 15th, 2010 by Robin Hopkins

The Information Commissioner has delivered his latest report to the Home Affairs Select Committee on “the state of surveillance” in the UK. The report traces privacy-related developments since the Commissioner’s 2006 report on the same theme, which memorably observed that the UK may be “sleepwalking into a surveillance society”. According to the November 2010 report, that warning

 “… is no less cogent in 2010 than it was several years ago. It is not being suggested that the UK is a ‘police state’ or that there are surveillance conspiracies afoot against the public. Neither the 2006 report nor this one supports such an assumption, and evidence for it is lacking. Much of what is taken to be surveillance is done for benign reasons and has beneficial effects on individuals and society. But much surveillance also goes beyond the limits of what is tolerable in a society based on the rule of law and human rights, one of which is the right to privacy.”

The report provides an illuminating summary of trends in (amongst others) the use of CCTV, body scanning and border control (including ‘ethnic targeting’ for security searches), workplace monitoring, social networking, ‘crowdsourcing’, the monitoring of protest activities and even the use of unmanned drones. Scrutiny is also given to a number of governmental policy tools, such as databases and the use of ‘social sorting’ (eg into groups such as ‘high cost, high risk’ social groups who are vulnerable to social exclusion’) to develop targeted welfare strategies.

As regards private-sector online commerce, the Commissioner recommends a number of measures to correct what he describes as the “worrying trend particularly with those who provide on-line services not to have thought through the privacy implications of their activities and given users robust privacy settings as a default”.

What to do about the risks identified in the report? The ICO’s recommendations focus principally on overhauling the legislative process insofar as it affects privacy, by introducing: 

  • a requirement for a privacy impact assessment to be presented during the parliamentary process where legislative measures have a particular impact on privacy;
  • an opportunity for the Information Commissioner to provide a reasoned opinion to Parliament on measures that engage concerns within his areas of competence, and
  • a legal requirement to make sure all new laws that engage significant privacy concerns undergo post-legislative scrutiny to ensure they are being implemented and used as intended by Parliament.

If implemented, these measures would add substantially to the ICO’s clout as the guardian of privacy.

The report can be found here, with the accompanying press release from the ICO here.

PATIENT DATA SHARING – ARE WE RUNNING OUT OF PATIENCE?

March 26th, 2010 by Anya Proops

The question of the extent to which those working within the national health service should have access to patient data is a difficult one to resolve. On the one hand, permitting widespread access can potentially enable health service provides to provide more efficient, ‘joined up’ health-care to patients. On the other hand, there will always be concerns that too much access increases the risk that patient data, which is obviously sensitive personal data for the purposes of s. 2 of the Data Protection Act 1998, will be misused and/or inadvertently disclosed to third parties. We have seen this debate unfolding not least in respect of the Spine database project which is aimed at achieving a comprehensive centralised database of NHS patient records. The British Medical Association amongst others have alreeady expressed concern that the system is being rolled out too quickly (see further this article from the Guardian earlier this month). Today, reports are surfacing in the media that an NHS Trust in Wales is failing to ensure that proper restrictions are being placed on hospital staff accessing patient data (see further this BBC article which suggests hospital porters, IT staff and administrators have all been permitted access to patient data). This kind of story is only going to fuel concerns that the quest for efficiency in patient treatment requires too high a price to be paid in terms of compromising the privacy rights of patients.

DISCLOSING INFORMATION FOR CHILD PROTECTION PURPOSES – NEW ADMINISTRATIVE COURT JUDGMENT

March 19th, 2010 by Anya Proops

The question of whether and to what extent local authorities can or should share information about individuals thought to pose a risk to children is often a very difficult one to answer in practice. Failure to disclose the information may expose the authority to claims that it has not acted in accordance with its duties to safeguard children’s interests. On the other hand, sharing the information may expose the authority to claims that it has acted in excess of its powers and has otherwise breached the individual’s right to privacy under Article 8 ECHR. In the recent case of H & L v X City Council and Y City Council [2010] EWHC 466 (Admin), the Administrative Court considered this question in a case involving the disclosure of information by a local authority about a severely disabled man (H) who been convicted of indecent assault on a child. In this case, the council had made a variety of disclosures to organisations with which H was involved. It had also adopted a policy of considering on a case by case basis whether it should make disclosure of information relating to H to organisations with which he became involved in the future. In addition, the local authority had a policy of disclosing information to H’s personal care assistants, purportedly to protect any children those carers may bring into contact with H.

In a judgment which recognised the very strong imperative in favour of protecting children’s interests, Judge Langan QC held that the policies of disclosure to organisations with which H was involved constituted a proportionate interference with H’s Article 8 right to privacy and was otherwise lawful. In reaching this conclusion, the judge took into account the fact that the disclosures were fairly guarded in nature; were not made in lurid terms and did not go beyond what was required for the purpose of making a measured communication. The judge similarly held that the policy of notifying other organisations with which H came into contact in future on a case-by-case basis was a reasonable, proportionate and otherwise lawful policy. However, the judge took issue with the authority’s policy of notifying H’s care assistants. He held that this was a disproportionate measure, particularly in view of the facts that: two of the three long-term carers had no children; there was a ‘no children at work’ provision in the relevant employment contracts and, further, the terms of the disclosures would raise suspicions in the minds of the carers which was more grave than H’s past conduct justified. In reaching his conclusions on the various policies adopted by the council, the judge plainly had in mind the recent important Supreme Court judgment in R(L) v Commissioner of Police of the Metropolis [2009] 3 WLR 1056, where the Supreme Court held that it was no longer right to assume that priority must be given to the need to protect the vulnerable over the right to respect for the private life of the individual. What this case perfectly illustrates is the highly fact-sensitive approach which needs to be adopted in any case where the local authority is contemplating sharing information for child protection purposes. Tim Pitt-Payne appeared on behalf of the local authority

Home Office publishes response to its consultation on communications data

November 16th, 2009 by Robin Hopkins

The Home Office has published a summary of responses to its April 2009 consultation paper on ‘communications data’, i.e. information about a communication that does not include the content of the communication itself. At present, such data is owned by communications service providers and accessed by certain public authorities under disparate statutory powers for the purposes of combating, for example, fraud, terrorism and other serious crime. The government is considering an overhaul so as to bring all communication types (such as web chat) and all relevant service providers (some of whose contractual positions place them beyond the current statutory arrangements) within the system.

 

The attendant tension between individual liberty and public protection is reflected in the 221 responses to this consultation.

 

A substantial minority of respondents objected in principle to any ‘surveillance’ of communications. A majority (albeit a fairly narrow one) agreed that communications data served an important public purpose and that the government should therefore act to maintain the capability of public authorities to make use of this type of information.

 

As to what form this action should take, only one element of the government’s proposed approach was widely welcomed, namely its rejection of a central database for holding all data of this type. Reservations were otherwise expressed about technological feasibility, data security and the proportionality of public authorities’ use of communications data.

 

Nonetheless, such reservations were not deemed forceful or widespread enough to deter the government from its proposed course. A number of respondents’ suggestions have been rejected, including the specifying of categories of data which should not be retained, and the requirement for a magistrate’s authorisation before communications data can be accessed.

The government is also satisfied that the DPA 1998 and RIPA 2000 provide sufficient safeguards against abuse of such data. A legislative review is, however, proposed, to see if a single means of authorised access (through RIPA 2000) would be practicable. Fresh or consolidating legislation appears likely.

NHS SPINE – PERMISSION TO DELETE CARE RECORDS

May 27th, 2009 by Anya Proops

The creation of electronic summary patient records which can readily be accessed by medical teams on the NHS broadband computer system, known as the Spine, is one which has met with approval in many quarters. This is unsurprising given the potential health benefits resulting from clinicians being able to access such records. However, this approval has been tempered by concerns that the NHS, in common with other large-scale public authorities, may not be able to maintain appropriate levels of security with respect to this manifestly sensitive personal data. Yesterday the Guardian reported that, following talks between the ICO and Connecting for Health (CfH), the agency responsible for implementing the records scheme, CfH has now yielded to calls for NHS patients be given the right to have their summary care records deleted from the system (although deletion would not occur if the records had already been used, in which case they would be archived for medic-legal reasons). The right to have records deleted will be additional to the right already granted to patients to opt out of the scheme before a record is created for them. CfH’s decision to permit patients to have their record deleted represents a move away from earlier proposals that, where objections were made, the record would simply be ‘masked’ within the system. Notably, the news over changes to the care records scheme comes only days after it was revealed that records revealing personal data relating to tens of thousands of MOD personnel, which were lost last year, had contained not merely financial information but also highly sensitive vetting information. The revelations have been controversial because, whilst the loss was announced last year, neither Parliament nor the ICO were informed that the lost data included sensitive vetting data.

Recent conference papers

April 30th, 2009 by Timothy Pitt-Payne QC

On 11 KBW’s main website, you can now find some conference papers delivered this month by members of chambers.

There’s a paper that I gave at a Northumbria University conference.  The theme of the conference was information sharing; my paper is about the new law on breach of confidence (post-Campbell v MGN).

Yesterday, the LGG/11KBW legal update conference took place, with about 115 delegates.  Karen Steyn gave a paper on recent case-law affecting local authorities; the first section is about information law.  I gave a paper about employment vetting.  In discussion, delegates were clearly very interested in getting to grips with the new ISA barring regime.  Questions were raised about its implications for elected members of local authorities, and for volunteers (e.g. parents helping out in schools).  

Another subject  raised in discussion was the recent decision of the Administrative Court in R(G) v Governors of X School and Y City Council.  A music assistant employed at a primary school was dismissed; the allegation was that he had formed an inappropriate relationship with a 15 year old boy who was on work experience at the school.  The school’s disciplinary committee told the employee that they would be reporting the case to the Secretary of State for potential inclusion in “list 99″ (i.e. the statutory list of those banned from working in schools).  The Court quashed the decision because the school had refused to allow legal representation at the dismissal hearing or at a forthcoming appeal.  The disciplinary proceedings, and the referral to the Secretary of State for a potential banning direction, formed part of one and the same proceedings.  Those proceedings were not criminal in nature for the purpose of article 6 of the Convention.  However, their potential consequences were grave; and procedural fairness required the claimant to be allowed legal representation, before both the school’s disciplinary committee and its appeal committee.

A problem shared is a breach of the DPA?

April 9th, 2009 by Timothy Pitt-Payne QC

It’s a good time for a conference about information sharing.  The data sharing provisions in the Coroners and Justice Bill have been withdrawn, in the face of widespread criticism – including from the Bar Council (for more background, see our previous posts here and here).   The question whether anything will be done to implement last year’s Thomas/Wolpert review remains an open one. 

Against this background, Northumbria University’s conference on 17th April is topical.  Speakers include Richard Thomas (coming to the end of his term as Information Commissioner), Marcus Turle from Field Fisher Waterhouse, and Steve Eccleston from Sheffield City Council.  I shall be delivering a paper about breach of confidence and its significance for information sharing (I will post it on the 11KBW website after the conference).

The Age of Internet Surveillance

April 6th, 2009 by Anya Proops

With effect from today, all UK internet service providers (“ISP”) will be required to retain data relating to every email which is sent and every online telephone call which is made using their services. The data, which must be stored by ISPs for 12 months, will not include the content of the email or the call. It will however include the date, time, duration and routing of the online communication as well as information as to the internet subscriber or user. The obligation to retain this data is imposed under the Data Retention (EC Directive) Regulations 2009 (“the Regulations”). The regulations were enacted in order to bring into effect the provisions of the Data Retention EU Directive 2006/24/EC. The Directive was itself enacted in response to concerns that a lack of consistency of approach to data collection across Europe, particularly in the field of internet communications, was hampering the fight against crime, including international terrorism. The effect of the Regulations, which come into force today, is that the data retention principles which already apply to telecoms providers under the Data Retention (EC Directive) Regulations 2007 will now also apply to internet providers. As well as retaining the communications data, the internet service provider must afford access to particular data where they are required to do so by law (regulation 7). They must also abide by certain principles relating to the protection and security of the data (regulation 6).