Damages under section 13 DPA: Court of Appeal’s judgment in Halliday

May 17th, 2013 by Robin Hopkins

I blogged a while ago about the ex tempore judgment from the Court of Appeal in a potentially groundbreaking case on damages under section 13 of the DPA, namely Halliday v Creation Consumer Finance [2013] EWCA Civ 333. The point of potential importance was that ‘nominal damages’ appeared to suffice for the purposes of section 13(1), thereby opening up section 13(2). In short, the point is that claimants under the DPA cannot be compensated for distress unless they have also suffered financial harm. A ‘nominal damages’ approach to the concept of financial harm threatened to make the DPA’s compensation regime dramatically more claimant-friendly.

The Court of Appeal’s full judgment is now available. As pointed out on Jon Baines’ blog, ground has not been broken: the ‘nominal damages’ point was a concession by the defendant rather than a determination by the Court. See paragraph 3 of the judgment of Lady Justice Arden:

“… this issue, which was the main issue of the proposed appeal to this court, is now academic as the respondent, CCF, concedes an award of nominal damages is “damage” for the purposes of the Directive and for the purposes of section 13(2) of the Data Protection Act 1998.”

Other potentially important points have also fallen somewhat flat. The question of whether UK law provided an adequate remedy for a breach of a right conferred by a European Directive fell away on the facts (“proof fell short in relation to the question of damage to reputation and credit”), while the provision for sanctions under Article 24 of Directive 95/46/EC was neither directly enforceable to Mr Halliday nor of assistance to him.

Still, the judgment is not without its notable points.

One is the recognition that compensation for harm suffered is a distinct matter from penalties for wrongdoing; the former is a matter for the courts in the DPA context, the latter a matter for the Information Commissioner and his monetary penalty powers. Such was the implication of paragraph 11:

“… it is not the function of the civil court, unless specifically provided for, to impose sanctions. That is done in other parts of the judicial system.”

Another point worth noting is Lady Justice Arden’s analysis of distress and the causation thereof. The distress must be caused by the breach, not by other factors such as (in this case) a failure to comply with a court order. See paragraph 20:

“Focusing on subsection (2), it is clear that the claimant has to be an individual, that he has to have suffered distress, and that the distress has to have been caused by contravention by a data controller of any of the requirements of the Act. In other words, this is a remedy which is not for distress at large but only for contravention of the data processing requirements. It also has to be distress suffered by the complainant and therefore would not include distress suffered by family members unless it was also suffered by him. When I say that it has to be caused by breach of the requirements of the Act, the distress which I accept Mr Halliday would have felt at the non-compliance of the order is not, at least directly, relevant because that is not distress by reason of the contravention by a data controller of the requirements of this Act. If the sole cause of the distress had been non-compliance with a court order, then that would have lain outside the Act unless it could be shown that it was in substance about the non-compliance with the Data Protection Act.”

The claimant had sought to draw an analogy with guidelines and banding for discrimination awards as set by Vento v Chief Constable of West Yorkshire Police [2013] 1 ICR 31. The Court of Appeal was not attracted. See paragraph 26:

“In answer to that point, the field of discrimination is, it seems to me, not a helpful guide for the purposes of data protection. Discrimination is generally accompanied by loss of equality of opportunity with far-reaching effects and is liable to cause distinct and well-known distress to the complainant.”

Finally, Lady Justice Arden commented as follows concerning the level of the compensation to be awarded on the facts of this case: “in my judgment the sum to be awarded should be of a relatively modest nature since it is not the intention of the legislation to produce some kind of substantial award. It is intended to be compensation, and thus I would consider it sufficient to render an award in the sum of £750” (paragraph 36).

Lord Justice Lloyd (who, along with Mr Justice Ryder agreed with Lady Justice Arden) did pause to think about a submission on this question ‘if you were so distressed, why did you not complain immediately?’, but concluded that (paragraph 47):

“I confess that I was somewhat impressed at one point by Mr Capon’s submission that it was a surprise, if Mr Halliday was so distressed by this contravention, that he did not immediately protest upon discovering, in response to his first credit reference enquiry, the fact of the contravention, and indeed he did not protest until about a month after the second report had been obtained. But I bear in mind, in response to that, Mr Halliday’s comment that he had had such difficulty in getting any sensible response, or indeed any response, out of CCF at the earlier stage, that it is perhaps less surprising that he did not immediately protest. In any event, the period in question is not a very lengthy one between his discovery of the contravention by his first reference request and his taking action in July. Accordingly, it does not seem to me that that is a matter that should be taken to reduce my assessment of the degree of distress that he suffered.”

Robin Hopkins

Tags: , , ,
Posted in INFORMATION LAW | Comments Off

Data protection: trends, possibilities and FOI disclosures

April 29th, 2013 by Robin Hopkins

At 11KBW’s information law seminar in May, one of the discussion topics was ‘the future of data protection’. Here are some further thoughts on some interesting trends and developments.

Progress at the EU level

A major issue on this front is of course progress on the draft EU Data Protection Regulation – on which see this blog post from the ICO’s David Smith for an overview of the issues currently attracting the most debate. While that negotiation process runs its course, the Article 29 Working Party continues to provide influential guidance for users and regulators on some of the thorniest data protection issues. Its most recent opinion addresses purpose limitation, i.e. the circumstances under which data obtained for one purpose can be put to another. A summary of its views is available here.

Subject access requests

Turning to domestic DPA litigation in the UK, practitioners should watch out for a number of other developments (actual or potential) over the coming months. On the subject access request front, for example, data controllers have tended to take comfort from two themes in recent judgments (such as Elliott and Abadir, both reported on Panopticon). In short, the courts in those cases have agreed that (i) data controllers need only carry out reasonable and proportionate searches, and (ii) that section 7(9) claims being pursued for the collateral purpose of aiding other substantive litigation will be an abuse of process.

Data controllers should, however, note that neither of those points is free from doubt: there are plenty who doubt the legal soundness of the proportionality point, and the abuse of process point has arisen for section 7(9) claims to the court – it should not, in other words, be relied upon too readily to refuse requests themselves.

Damages

Damages under section 13 of the DPA is another area of potentially important change. The Halliday v Creation Consumer Finance case (briefly reported by Panopticon) has been given further discussion in the Criminal Law & Justice Weekly here. Based on that information, perhaps the most interesting point is this: defendants have rightly taken comfort from the requirement under section 13 that compensation for distress can be awarded only where damage has also been suffered. In Halliday, however, nominal damages (of £1) were awarded, thereby apparently fulfilling the ‘damage’ requirement and opening the door for a ‘distress’ award (though note that Panopticon has not yet seen a full judgment from the Court of Appeal in this case, so do not take this as a definitive account). If that approach becomes standard practice, claimants may be in much stronger positions for seeking damages.

A further potential development on the damages front arises out of monetary penalty notices: data controllers who are subject to hefty penalties by the ICO may in some cases also find themselves facing section 13 claims from the affected data subjects themselves, presenting a worrying prospect of paying out twice for the same mistake.

Disclosure of personal data in the FOIA context

In general terms, requesters struggle to obtain the personal data of others through FOIA requests. A couple of very recent decisions have, however, gone the other way.

In White v IC and Carmarthenshire County Council (EA/2012/0238), the First-Tier Tribunal allowed the requester’s appeal and ordered disclosure of a list of licensed dog-breeders in the council’s area. In particular, it concluded that (paragraphs 21-23):

“…the Tribunal believes – on the facts of this case – that an important factor for any assessment in relation to the “fairness” of the disclosure of the personal data is best discovered from the context in which the personal data was provided to the Council in the first place.

22. The context, here, is to secure a commercial licence required by law to breed dogs. That license is necessary for the local authority to know who the licensed dog breeders in that area are, and so that the law can be enforced and welfare checks can be conducted as and when necessary in relation to the welfare of the dogs being bred commercially.

23. Licensing – in the ordinary course of things – is a public regulatory process. Indeed it was a public process in Carmarthenshire, in relation to the information that is at the core of this appeal, until the Council changed its policy in 2008.”

The Tribunal was unimpressed by the suggestive language of a survey of dog breeders which the council had carried out to support its case for non-disclosure. It also noted that a neighbouring council had disclosed such information.

The First-Tier Tribunal issued its decision in Dicker v IC (EA/2012/0250) today. It allowed the requester’s appeal and ordered disclosure of the salary of the chief executive of the NHS Surrey PCT over specified time periods, including total remuneration, expenses allowance, pension contributions and benefit details. As to legitimate interests in disclosure, the Tribunal said that (paragraph 13):

“In this case the arrangements (including secondment and recharge from another public authority at one stage) mean that the arrangements are not as transparent as might be wished and it is not entirely clear from the information published (as opposed to the assurances given) that the national pay guidance has been complied with. Mr Dicker asserted that the CEO was paid in excess of the national framework. The Tribunal was satisfied that there was a legitimate public interest in demonstrating that the national framework had been complied with and that the published information did not properly establish this”.

On the questions of distress and privacy infringements, the Tribunal took this view (paragraph 14):

“The CEO is a prominent public servant discharging heavy responsibilities who must expect to be scrutinised. Individuals in such circumstances are rational, efficient, hard-working and robust. They are fully entitled to a high degree of respect for their private lives. However the protection of personal information about their families and their health is a very different matter from having in the public domain information about income… The Tribunal simply cannot accept that anyone in such a role would feel the slightest distress, or consider that there has been any intrusion or that they would be prejudiced in any way by such information. From the perspective of the individual such information is essentially trivial; indeed, in other European societies, such information would be routinely available.”

If this approach were to become standard, the implications for public authorities would be significant.

Further, there are two very important personal data FOIA cases to look out for in the coming months. Following its decision in the Edem case late in 2012, the Upper Tribunal’s next consideration of personal data in the FOIA context is the appeal in the Morley v IC & Surrey Heath Borough Council (EA/2011/0173) case, in which the Tribunal – in a majority decision in which Facebook disclosures played a significant part – ordered the disclosure of names of certain youth councillors.

More importantly, the Supreme Court will hear an appeal from the Scottish Court of Session in July about a FOISA request for the number of individuals employed by the Council on specific points in the pay structure. The council relied on the personal data exemption (contending that individuals could be identified from the requested information), but the Scottish Information Commissioner ordered disclosure and succeeded before Scotland’s highest court. The Supreme Court will consider issues including the approach to ‘legitimate interests’ under condition 6(1) of schedule 2 to the DPA (the condition most often relied upon in support of disclosing personal data to the public). The case is likely to have far-reaching implications. For more detail, see Alistair Sloan’s blog.

Panopticon will, as ever, keep its eye on these and other related developments.

Robin Hopkins

Tags: , , , , , ,
Posted in INFORMATION LAW | Comments Off

Court of Appeal gives judgment on credit reference agencies and accuracy of personal data

February 20th, 2013 by Robin Hopkins

The fourth data protection principle requires that “personal data shall be accurate and, where necessary, kept up to date”. It does not, however “impose an absolute and unqualified obligation on [data controllers] to ensure the entire accuracy of the data they maintain. Questions of reasonableness arise in the application of the fourth principle, as paragraph 7 of Part II of Schedule I spells out.” This statement by Davis LJ (at para. 80) encapsulates the case of Smeaton v Equifax plc [2013] EWCA Civ 108, in which the Court of Appeal handed down judgment today.

Equifax is a well-known credit reference agency. Between 22 May 2002 and 17 July 2006 Equifax included in its credit file concerning the Respondent, Mr Smeaton, an entry to the effect that he was subject to a bankruptcy order. This was incorrect – that order had been rescinded in 2002.

He was subsequently declined a business loan, with serious detrimental consequences for that business. He brought a claim against Equifax for those business losses and “other losses and distress consequent upon his descent into a chaotic lifestyle”.

Initially, his cause of action was defamation. By the time of trial in 2011, it had become (a) a claim under s. 13 of the Data Protection Act 1998, and (b) a parallel common law tort claim.

The judge, HHJ Thornton QC (having substantially amended the first draft of his judgment following submissions at handing down), found that Equifax had breached the fourth data protection principle (as well as the first and the fifth, though he had heard no argument on these points), that it owed Mr Smeaton a parallel duty in tort and that he had suffered losses as a result of these breaches.

The Court of Appeal disagreed in strong terms, Tomlinson LJ saying this at para. 11 about the judge’s approach and conclusions – particularly on causation:

“In retrospect it is I think unfortunate that the judge attempted to resolve the causation issue in principle, divorced from the question what loss could actually be shown to have been caused by the asserted breaches of duty. I have little doubt that Mr Smeaton believes in all sincerity that a good number of the vicissitudes that have befallen him can be laid at the door of Equifax, but a close examination of the relationship between the losses alleged and the breaches of duty found by the judge would perhaps have introduced something in the way of a reality check. Had the judge looked at both issues together he might I think have had a better opportunity to assess the proposition in the round. As it is, the judge’s conclusion that the breaches of duty which he identified caused Mr Smeaton loss in that they prevented Ability Records from obtaining a loan in and after mid-2006 is in my view not just surprising but seriously aberrant. It is without any reliable foundation and completely unsupported, indeed contradicted, by the only evidence on which the judge could properly rely.”

Turning from the facts of the case and the question of causation to the approach to the fourth data protection principle in general, Tomlinson LJ said this at para. 44:

“The judge was also in my view wrong to regard the mere fact that the data had become inaccurate and remained accessible in its inaccurate form for a number of years as amounting to a “clearly established breach of the fourth principle” – judgment paragraph 106. Paragraph 7 of Part II provides that the fourth principle is not, in circumstances where the data accurately records [erroneous] information obtained by the data controller from the data subject or a third party, to be regarded as contravened if the data controller has, putting it broadly, taken reasonable steps to ensure the accuracy of the data. A conclusion as to contravention cannot in such a case be reached without first considering whether reasonable steps have been taken. As the facts of this case show, that may not always be a straightforward enquiry. Perhaps often it will and it may not therefore usually be difficult to establish a contravention. Once it is concluded that reasonable steps were not taken in this regard, a consumer may seek compensation under s.13. It will then be a defence for the data controller to show that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned. It may be that that enquiry is in substance no different from that required under paragraph 7 of Part II in the limited class of case to which that paragraph refers. However it should be noted that in cases not covered by paragraph 7 a contravention may be established without consideration of the reasonableness of the steps taken by the data controller. In such a case reasonableness would arise only if a defence were mounted under s.13(3).”

Tomlinson LJ then summarised the law and relevant legal guidance on credit reference agencies and bankruptcy proceedings. At para. 59, he concluded that:

“The judge’s approach begins with the observation, at paragraph 95 of the judgment, that erroneous or out of date data which remains on a consumer’s credit file can be particularly damaging. Of course this is true, and nothing I say in this judgment is intended to undermine the importance of the fourth data protection principle. But before deciding what is the ambit of the duty cast upon CRAs to ensure the accuracy of their data, it is necessary to put this important principle into context and to maintain a sense of proportion. In the context of lending, arrangements have been put in place to ensure that an applicant for credit should not suffer permanent damage as a result of inaccurate information appearing on his file. As recorded above these safeguards are set out in the Guide to Credit Scoring and are further explained in at least two other published documents…. The judge made no reference to these arrangements which are in my view relevant to the question how onerous a duty should be imposed upon a CRA to ensure that its data is accurate. I agree with Mr Handyside that in most cases of applications for credit failed on account of incorrect data the harm likely to be suffered is temporary inconvenience. It is possible that the judge overlooked this as a result of his flawed conclusion that it was inaccurate data, or more precisely the alleged breach of duty which gave rise thereto, which prevented Mr Smeaton / Ability Records from obtaining credit in and after July 2006.”

He continued at para 62:

“The judge ought in my view to have taken into account that these various publications demonstrate that both the methods by which CRAs collected and updated their data and the shortcomings in those methods were well-known to and understood by the Information Commissioner and the Insolvency Service.”

Tomlinson LJ also concluded (at paras. 67-68) that part of the judge’s conclusions on DPA breach “amounts to a conclusion that Equifax was in breach of the duty required of it under the DPA because it failed to attempt to persuade the Secretary of State and the Insolvency Service to initiate modifications to the legislative and regulatory framework and in particular failed to secure the reversal of the legislative choice made in 1986 no longer to require the automatic advertisement of annulments and rescissions. I do not consider that this is a realistic conclusion. Self-evidently it is not realistic to conclude that an exercise of this sort was either necessary or feasible in relation to a tiny number of cases where the consequences of inaccuracy could not normally be expected to be anything other than temporary inconvenience. A duty the content of which is to lobby for a change in the law must be very uncertain in its ambit and extent and in my view is implausible.”

Finally, not only had the judge erred in his approach to causation and the fourth data protection principle, he was also wrong to find that there was a parallel duty in common law: the House of Lords said in Customs and Excise Commissioners v Barclays Bank [2007] 181 that statutory duties cannot generate parallel common law ones, and on the raditional three-fold test of foreseeability, proximity and whether it is fair, just and reasonable to impose a duty, the answer here would also be ‘no’.

The judgment will be welcomed not only by credit reference agencies, but by all those data controllers whose particular circumstances mean that data inaccuracy is, best efforts notwithstanding, an occupational hazard.

For another blog post on this judgment, see Information Rights and Wrongs, where Jon Baines was quick off the mark.

Robin Hopkins

Tags: , , , , ,
Posted in INFORMATION LAW | Comments Off

Personal data: it’s all in the name

February 7th, 2013 by James Cornwell

A person’s name constitutes his or her personal data – so has held the Upper Tribunal recently in Information Commissioner v Financial Services Authority & Edem [2012] UKUT 464 (AAC).

Section 1(1) of the Data Protection Act 1998 (“the DPA”) defines “personal data” thus:

“‘personal data’ means data which relate to a living individual who can be identified—

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual; …”

Mr Edem made a request under the Freedom of Information Act 2000 (“FOIA”) to the Financial Services Authority (“the FSA”) seeking “a copy of all information that the FSA holds about me and/or my complaint that the FSA had failed to correctly regulate Egg plc”. The FSA declined to provide the information on various grounds. Mr Edem complained to the Information Commissioner. By the time that the Commissioner issued his Decision Notice the only remaining withheld information was the names of three FSA officials. The Commissioner upheld the FSA’s refusal to disclose this information on the basis that it was personal data of the individuals, they would have had no expectation of their names being released in public and any legitimate interest in disclosure was outweighed by the prejudice to their rights and freedoms (i.e. the information was exempt under FOIA, section 40(2) because disclosure would breach the First Data Protection Principle in Schedule 1 to the DPA).

On Mr Edem’s appeal the First-tier Tribunal (Information Rights) (“the FTT”) decided that the names of the officials did not constitute their personal data and ordered disclosure. In reaching that conclusion the FTT purported to apply the well-known analysis of the concept of personal data by Auld LJ in Durant v FSA [2003] EWCA Civ 1746, [2011] 1 Info LR 1 at [26-29]. In Durant at [28] Auld LJ identified two notions “that may be of assistance” in considering whether information relates to an person: biographical significance and focus. The FTT found that the disputed information was “not biographical in any significant sense” as it simply concerned transactions in which the individuals were involved. Further, the FTT held that the information did not have the individuals as its focus, but rather the handling of Mr Edem’s complaint.

In the Upper Tribunal Judge Jacobs rejected that analysis and allowed the Commissioner’s and FSA’s appeals against the FTT’s decision.

The Judge identified two relevant elements to the definition of personal data in section 1(1) of the DPA: relation and identification (see at [10]). Durant was a case about relation, not identification (see at [20], [29]). The Judge considered that Auld LJ’s two notions (biographical significance and focus) were not presented as being exhaustive or as defining the concept of personal data (see at [21]) and were limited to “borderline” cases (see at [23]).

Judge Jacobs considered that the ECJ’s decisions in Criminal Proceedings against Bodil Lindqvist (Case C-101/01) [2003] ECR I-6055 and European Commission v Bavarian Lager Co Ltd (Case C-28/08 P) were authority that the names of persons are personal data.

As the names of the officials were held by the FSA, the information was data for the purposes of section 1(1) of the DPA (see at [33]). Although the names were (in this case) not unique, taken together with contextual information such as grades and dates of employment they identified the officials (see at [36]).  As to the relation element of the definition of personal data, the Judge concluded that the FTT had either: (1) misdirected itself because Auld LJ’s two notions were not relevant in this case as the information requested included not just the names but other personal data including the individuals’ role within the FSA and their involvement in Mr Edem’s complaint (see at [38]); or (2) misapplied Auld LJ’s two notions. There were two ways in which such misapplication occurred. First, the FTT adopted an approach to biographical significance that was too narrow and was inconsistent with the ECJ’s decision in Bavarian Lager (see at [40]). Secondly, the holder of information has to know whether or not information is personal data at the time it is recorded and on the test adopted by the FTT information would not be biographical because its significance was not known at the time of recording (see at [41]).

Having concluded that the information was personal data Judge Jacobs set aside the FTT’s decision and re-made the decision, finding (in agreement with the Commissioner’s Decision Notice) that condition 6 of Schedule 2 to the DPA was not satisfied as no legitimate interest in disclosure had been identified.

The Upper Tribunal’s conclusion in relation to the misapplication of Auld LJ’s two notions is plainly correct – the FTT’s approach does seem to have been significantly narrower than that approved by the ECJ in Bavarian Lager. Judge Jacobs’ second point in relation to misapplication is interesting. If biographical significance is interpreted in such a way that it is dependent on subjective or context-dependent judgment, then the task of a data controller would, indeed, be rendered very difficult as information slipped into and out of being personal data.

It should be noted that both in this case and Bavarian Lager there was some additional context in which the names appeared that gave them biographical significance – the case should not be read as saying that a name on its own (devoid of context) is necessarily personal data.

The Judge’s reasoning on the FTT’s misdirection at [38] is potentially more controversial. Whilst Auld LJ clearly intended his “two notions” to be non-exhaustive, it is open to question whether the judgments in Durant can really be read as intending to limit them only to borderline cases. However, that is the stance that the Information Commissioner and the Government have traditionally taken in interpreting Durant and Judge Jacobs has accepted it.

Tags: ,
Posted in INFORMATION LAW | Comments Off

CPR disclosure applications: ignore the DPA; balance Articles 6 and 8 instead

December 13th, 2012 by Robin Hopkins

It is increasingly common for requests for disclosure in pre-action or other litigation correspondence to include a subject access request under section 7 of the Data Protection Act 1998. Litigants dissatisfied with the response to such requests often make applications for disclosure. Where an application is made in the usual way (i.e. under the CPR, rather than as a claim under section 7 of the DPA), how should it be approached? As a subject access request, with the “legal proceedings” exemption (section 35) arising for consideration, or as an “ordinary” disclosure application under CPR Rule 31? If the latter, what role (if any) do data protection rights play in the analysis of what should be disclosed?

As the Court of Appeal in Durham County Council v Dunn [2012] EWCA Civ 1654 observed in a judgment handed down today, there is much confusion and inconsistency of approach to these questions. Difficulties are exacerbated when the context is particularly sensitive – local authority social work records being a prime example. Anyone grappling with disclosure questions about records of that type will need to pay close attention to the Dunn judgment.

Background to the disclosure application

Mr Dunn alleged that he had suffered assaults and systemic negligence while in local authority care. He named individual perpetrators. He also said he had witnessed similar acts of violence being suffered by at other boys. He brought proceedings against the local authority. His solicitors asked for disclosure of various documents; included in the list of requested disclosure was the information to which Mr Dunn was entitled under section 7 of the DPA. Some documents were withheld from inspection, apparently on data protection grounds.

Mr Dunn made a disclosure application in the usual way, i.e. he did not bring a section 7 DPA claim. The District Judge assessed the application in data protection terms. He ordered disclosure with the redaction of names and addresses of residents of the care facility – but not those of staff members and other agents, who would not suffer the same stigmas or privacy incursions from such disclosure.

Mr Dunn said he could not pursue his claim properly without witnesses and, where appropriate, their contact details. He appealed successfully against the disclosure order. The order for redaction was overturned. The judge’s approach was to consider this under the CPR (this being a civil damages claim) – but to take the DPA into account as a distinct consideration in reaching his disclosure decision.

The relevance of the DPA

The Court of appeal upheld the use of the CPR as the correct regime for the analysis. It also upheld the appeal judge’s ultimate conclusion. It said, however, that he went wrong in treating the DPA as a distinct consideration when considering a disclosure application under the CPR. With such applications, the DPA is a distraction (paragraphs 21 and 23 of the judgment of Maurice Kay LJ). It is potentially “misleading to refer to a duty to protect data as if it were a category of exemption from disclosure or inspection. The true position is that CPR31, read as a whole, enables and requires the court to excuse disclosure or inspection on public interest grounds” (paragraph 21).

This was not to dismiss the usefulness of a subject access request to those contemplating litigation. See paragraph 16:

“I do not doubt that a person in the position of the claimant is entitled – before, during or without regard to legal proceedings – to make an access request pursuant to section 7. I also understand that such a request prior to the commencement of proceedings may be attractive to prospective claimants and their solicitors. It is significantly less expensive than an application to the Court for disclosure before the commencement of proceedings pursuant to CPR31.16. Such an access may result in sufficient disclosure to satisfy the prospective claimant’s immediate needs. However, it has its limitations. For one thing, the duty of the data controller under section 7 is not expressed in terms of disclosure of documents but refers to communication of “information” in “an intelligible form”. Although this may be achieved by disclosure of copies of original documents, possibly redacted pursuant to section 7(5), its seems to me that it may also be achievable without going that far. Secondly, if the data subject is dissatisfied by the response of the data controller, his remedy is by way of proceedings pursuant to section 7 which would be time-consuming and expensive in any event. They would also engage the CPR at that stage: Johnson v Medical Defence Union [2005] 1 WLR 750; [2004] EWCH 2509 (Ch).”

Instead, the CPR disclosure analysis should balance Article 6 and Article 8 rights in the context of the particular litigation.

Maurice Kay LJ summed up the requisite approach as follows:

“What does that approach require? First, obligations in relation to disclosure and inspection arise only when the relevance test is satisfied. Relevance can include “train of inquiry” points which are not merely fishing expeditions. This is a matter of fact, degree and proportionality. Secondly, if the relevance test is satisfied, it is for the party or person in possession of the document or who would be adversely affected by its disclosure or inspection to assert exemption from disclosure or inspection. Thirdly, any ensuing dispute falls to be determined ultimately by a balancing exercise, having regard to the fair trial rights of the party seeking disclosure or inspection and the privacy or confidentiality rights of the other party and any person whose rights may require protection. It will generally involve a consideration of competing ECHR rights. Fourthly, the denial of disclosure or inspection is limited to circumstances where such denial is strictly necessary. Fifthly, in some cases the balance may need to be struck by a limited or restricted order which respects a protected interest by such things as redaction, confidentiality rings, anonymity in the proceedings or other such order. Again, the limitation or restriction must satisfy the test of strict necessity.”

How to approach disclosure of social work records in litigation

This issue was dealt with by Munby LJ. In short, the main question was whether those seeking to withhold or redact social work records in litigation should analyse the issue in terms of public interest immunity (as some textbooks, older authorities and even the White Book appeared to suggest) or in terms of a balancing between competing rights under the ECHR (in particular, Articles 6 and 8).

Munby LJ made clear that the right answer is the latter. Where information contained in social work records is to be withheld in legal proceedings, this should not now be on the basis of a claim to public interest immunity; we are “a world away from 1970 or even 1989” (paragraph 43). This was despite the fact that “the casual reader of the White Book” (paragraph 31.3.33 in particular) could be forgiven for thinking that PII applies to local authority social work records. Here Munby LJ said he “would respectfully suggest that the treatment of this important topic in the White Book is so succinct as to be inadvertently misleading” (paragraph 48).

Importantly, Munby LJ also went on to explain how (and with what stringency) Article 8 rights to privacy and the protection of personal information should be approached when disclosing information pursuant to litigation. At paragraph 50, he gave the following guidance:

“… particularly in the light of the Convention jurisprudence, disclosure is never a simply binary question: yes or no. There may be circumstances, and it might be thought that the present is just such a case, where a proper evaluation and weighing of the various interests will lead to the conclusion that (i) there should be disclosure but (ii) the disclosure needs to be subject to safeguards. For example, safeguards limiting the use that may be made of the documents and, in particular, safeguards designed to ensure that the release into the public domain of intensely personal information about third parties is strictly limited and permitted only if it has first been anonymised. Disclosure of third party personal data is permissible only if there are what the Strasbourg court in Z v Finland (1998) 25 EHRR 373, paragraph 103, referred to as “effective and adequate safeguards against abuse.” An example of an order imposing such safeguards can be found in A Health Authority v X (Discovery: Medical Conduct) [2001] 2 FLR 673, 699 (appeal dismissed A Health Authority v X [2001] EWCA Civ 2014, [2002] 1 FLR 1045).”

Robin Hopkins

Tags: , , , , , , ,
Posted in INFORMATION LAW | Comments Off

Redacting for anonymisation: Article 8 v Article 10 in child protection context

December 13th, 2012 by Robin Hopkins

Panopticon has reported recently on the ICO’s new Code of Practice on Anonymisation: see Rachel Kamm’s post here. That Code offers guidance for ensuring data protection-compliant disclosure in difficult cases such as those involving apparently anonymous statistics, and situations where someone with inside knowledge (or a ‘motivated intruder’) could identify someone referred to anonymously in a disclosed document. The Upper Tribunal in Information Commissioner v Magherafelt District Council [2012] UKUT 263 AAC grappled with those issues earlier this year in the context of disclosing a summarised schedule of disciplinary action.

Redaction is often crucial in achieving anonymisation. Getting redaction right can be difficult: too much redaction undermines transparency, too much undermines privacy. The Court of Appeal’s recent judgment In the matter of X and Y (Children) [2012] EWCA Civ 1500 is a case in point. It involved the publication of a summary report from a serious case review by a Welsh local authority’s Safeguarding Children Board. The case involved very strong competing interests in terms of Article 8 and Article 10 ECHR. For obvious reasons (anonymity being the key concern here) little could be said of the underlying facts, but the key points are these.

A parent was convicted in the Crown Court of a serious offence relating to one of the children of the family (X). The trial received extensive coverage in the local media. The parent was named. The parent’s address was given. The fact that there were other siblings was reported, as also their number. All of this coverage was lawful.

The local authority’s Safeguarding Children Board conducted a Serious Case Review in accordance with the provisions of the Children Act 2004 and The Local Safeguarding Children Boards (Wales) Regulations 2006. Those Regulations require the Board to produce an “overview report” and also an anonymised summary of the overview report. The relevant Guidance provides that the Board should also “arrange for an anonymised executive summary to be prepared, to be made publicly available at the principal offices of the Board”.

Here two features of the draft Executive Summary were pivotal.

First, reference was made to the proceedings in the Crown Court in such a way as would enable many readers to recognise immediately which family was being referred to and would enable anyone else so inclined to obtain that information by only a few minutes searching of the internet.

Second, it referred, and in some detail, to the fact, which had not emerged during the proceedings in the Crown Court and which is not in the public domain, that another child in the family (Y), had also been the victim of parental abuse.

The local authority wanted to publish the Executive Summary, seeking to be transparent about its efforts to put right what went wrong and that it has learned lessons from X’s death. It recognised the impact on Y, but argued for a relaxtion of a restricted reporting order to allow it to publish the Executive Summary with some redactions. It was supported by media organisations who were legally represented.

The judge (Peter Jackson J) undertook a balance of interests under Articles 8 and 10. He allowed publication, with redactions which were (in the Court of Appeal’s words) “in substance confined to three matters: the number, the gender and the ages of the children.”

In assessing the adequacy of these redaction, the Court of Appeal considered this point from the judgment of Baroness Hale in ZH (Tanzania) v Secretary of State for the Home Department [2011] UKSC 4, [2011] 2 AC 166, at paragraph 33:

“In making the proportionality assessment under article 8, the best interests of the child must be a primary consideration. This means that they must be considered first. They can, of course, be outweighed by the cumulative effect of other considerations.”

Munby LJ thus concluded (paragraph 47 of this judgment) that “it will be a rare case where the identity of a living child is not anonymised”.

He recognised, on the other hand, that Article 10 factors always retained their importance: “there could be circumstances where the Article 8 claims are so dominant as to preclude publication altogether, though I suspect that such occasions will be very rare.”

On the approach to anonymisation through redaction, Munby LJ had this to say (paragraph 48):

“In some cases the requisite degree of anonymisation may be achieved simply by removing names and substituting initials. In other cases, merely removing a name or even many names will be quite inadequate. Where a person is well known or the circumstances are notorious, the removal of other identifying particulars will be necessary – how many depending of course on the particular circumstances of the case.”

In the present case, the redactions had been inadequate. They did not “address the difficulty presented by the two key features of the draft, namely, the reference to the proceedings in the Crown Court and the reference to the fact that Y had also been the victim of parental abuse” (paragraph 53).

Far more drastic redaction was required in these circumstances: to that extent, privacy trumped transparency, notwithstanding the legislation and the Guidance’s emphasis on disclosure. In cases such as this (involving serious incidents with respect to children), those taking disclosure decisions should err on the side of heavy redaction.

Robin Hopkins

 

Tags: , , , , ,
Posted in INFORMATION LAW | Comments Off

Internet traffic data and debt collection: privacy implications

December 5th, 2012 by Robin Hopkins

Mr Probst was a subsriber to the internet service provider (ISP) Verizon. He failed to pay his bill. A company called ‘nexnet’, the assignee of Verizon’s debt, sought to collect the sums due. In doing so, it obtained and used his internet traffic data in accordance with its ‘data protection and confidentiality agreement’ with Verizon. Disinclined to pay up, Mr Probst argued that nexnet had processed his personal data unlawfully and that the relevant terms of its agreement with Verizon purporting to sanction that processing were void. The first-instance German court agreed with him, but the appellate court did not.

It referred a question to the CJEU concerning Directive 2002/58 (the privacy and electronic communications Directive), which seeks to “particularise and complement” the Data Protection Directive 95/46/EC.

Article 5(1) of the 2002 Directive provides confidentiality in respect of electronic communications and traffic data. Article 6(1) says that traffic data must be “erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication”, unless one of the exceptions in that Article applies. The relevant provisions here were Articles 6(2) and (5). The first allows traffic data to be processed for subscriber billing purposes – but only within a specified time period. The second allows for processing of such data by an ISP’s authorised agent only for specified activities and only insofar as is necessary for those activities. The provisions are worded as follows:

(2) Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued.

(5) Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities.

In Probst v mr.nexnet GmbH (Case C‑119/12), the Third Chamber of the CJEU essentially had to decide whether, and in what circumstances, Articles 6(2) and (5) allow an ISP to pass traffic data to the assignee of its claims for payment such that the latter may process those data. Its starting point was that Articles 6(2) and (5) were exceptions to the general principle of confidentiality with respect to one’s internet traffic data. They therefore needed to be construed strictly.

As regards Article 6(2), Mr Probst had argued that nexnet was not in the business of ‘billing’, but in the business of debt collection. The referring court’s view was that, for data protection purposes, those activities were sufficiently closely connected to be treated indentically. The Third Chamber agreed. It found that, by authorising traffic data processing ‘up to the end of the period during which the bill may lawfully be challenged or payment pursued’, Article 6(2) relates not only to data processing at the time of billing but also to the processing necessary for securing payment thereof.

As to Article 6(5), the Court held “that a persons acts under the authority of another where the former acts on instructions and under the control of the latter”.

The next question was essentially: what does a data protection-compliant contract between an ISP and a third party (an agent, assignee or someone to whom an activity is outsourced) look like? Must the ISP actually be able to determine the use of the data by the third party, including on a case-by-case basis, throughout the duration of the data processing? Or is it sufficient that its contract with the third party contains general rules about the privacy of telecommunications and data protection and provides for data to be erased or returned on request?

The Court emphasised that outsourcing or assignment may not result in lower levels of protection for individuals’ personal data (paragraph 26). The contract must be sufficiently specific. It must, for example, provide for the immediate and irreversible erasure or return of data as soon as knowledge thereof is no longer necessary for the recovery of the claims concerned. The controller (here, the ISP) must be in a position to check and ensure compliance with the privacy and data protection measures agreed under the contract, and the contract must provide for the ISP to be able to request the return or erasure of the data.

The issue in the Probst case (how to balance privacy and legal rights to monies owed) has obvious parallels with measures to combat copyright infringement (how to balance privacy and legal rights to intellectual property). I have blogged on copyright and privacy issues here and here.

The Probst judgment is an important confirmation of general principles about privacy with respect to one’s internet data. The implications for all sorts of contracts involving such data are clear – cloud computing arrangements, for example (on which, see Panopticon’s post here).

It is increasingly important that those contracts provide for specific and enforceable safeguards against unlawful processing of personal data. The Data Protection Directive will change before too long, but these principles will not.

Robin Hopkins

Tags: , , ,
Posted in INFORMATION LAW | Comments Off

Retention and disclosure of police caution data infringe Article 8

November 14th, 2012 by Charles Bourne

The European Court of Human Rights yesterday handed down a Chamber judgment in M.M. v United Kingdom (Application no. 24029/07) declaring that the arrangements for the indefinite retention of data relating to a person’s caution in a criminal matter and for the disclosure of such data in criminal record checks infringe Article 8 of the ECHR. Although the Court recognised that there might be a need for a comprehensive record of data relating to criminal matters, the indiscriminate and open-ended collection of criminal record data was unlikely to comply with Article 8 in the absence of clear and detailed statutory regulations clarifying the safeguards applicable and governing the use and disposal of such data, particularly bearing in mind the amount and sensitivity of the data. 

The case arose from a family dispute in Northern Ireland in the course of which the applicant, a grandmother, took her grandson away from his parents for two days before returning him unharmed. This resulted in her receiving a caution for child abduction in November 2000. In 2003 the police advised her that her caution would remain on record for only five years, i.e. until 2005. However, following the Soham murders and the Bichard report, there was a change of policy whereby any convictions and cautions where the victim was a child would be kept on record for the offender’s lifetime. 

Until 1 April 2008, requests for disclosure of criminal record data in Northern Ireland were made on a consensual basis. Disclosure took place in accordance with well-established common law powers of the police. Provisions of the Police Act 1997, introduced in England and Wales in 2006, were applied to Northern Ireland in 2008. Section 113A required a criminal record certificate to be issued on request and payment of a fee, to include details of all cautions and convictions whether spent or not, if the request was for stated purposes including that of assessing the suitability of persons to work with children and vulnerable adults.

Disclosure of the applicant’s caution caused her to be turned down for jobs as a family support worker in the social care field. She complained that the indefinite retention and disclosure of the caution data infringed her ECHR rights.

The Court noted that both the storing of information relating to an individual’s private life and the release of such information come within the scope of Article 8 § 1. The question was whether the police records contained data relating to the applicant’s “private life” and, if so, whether there had been an interference with her right to respect for private life. The data was both “personal data” and “sensitive personal data” within the meaning of the Data Protection Act 1998 and “personal data” in a special category under the Council of Europe’s Data Protection Convention. Although a person’s criminal record was public information, systematic storing of data in central records made them available for disclosure long after the event. As a conviction or caution receded into the past, it became a part of the person’s private life which had to be respected. The applicant’s voluntary disclosure of the caution to her prospective employer did not deprive her of the protection afforded by the Convention where employers were legally entitled to insist on disclosure. Thus Article 8 applied, and the retention and disclosure of the caution amounted to an interference.

To decide whether the interference could be justified under Article 8 § 2, the Court considered the legislation and policy applicable at the relevant time and since. It highlighted the absence of a clear legislative framework for the collection and storage of data and the lack of clarity as to the scope, extent and restrictions of what in Northern Ireland were originally common law powers of the police to retain and disclose caution data. There was also no mechanism for independent review of a decision to retain or disclose data. The provisions of the Police Act 1997 which came into force in Northern Ireland on 1 April 2008 created some limited filtering arrangements in respect of disclosures. However, in providing for mandatory disclosure under section 113A, no distinction was made on the basis of the nature of the offence, the disposal in the case, the time which had elapsed since the offence or the relevance of the data to the employment sought.

 The Court decided that the cumulative effect of these matters was an insufficiency of safeguards in the system to ensure that data relating to the applicant’s private life had not been, and would not be, disclosed in violation of her right to respect for her private life, and therefore the retention and disclosure of data was not “in accordance with the law” for the purpose of Article 8 § 2. The Court therefore did not go on to determine whether the interference was “necessary in a democratic society” for one of the stated aims, or whether there had been any infringement of Articles 6 and 7.

 Charles Bourne

 

Tags: , , ,
Posted in INFORMATION LAW | Comments Off

Update on recent Tribunal decisions part 3: personal data of public officials and relating to court proceedings

November 13th, 2012 by Robin Hopkins

I posted a few days ago about some recent decisions of the First-Tier Tribunal on requests under FOIA and the EIR for personal data. There have been a number of decisions on this issue of late. The following are of note, as they illustrate the types of issues very frequently encountered by public authorities. They also illustrate the nuanced and forensic approach taken by some Tribunals. There may not be a presumption in favour of disclosing personal data, but public authorities should beware assuming that Tribunals will be equally cautious about disclosing all types of personal data.

Chief Constable appointments: partial disclosure ordered

The Appointments Committee of Dyfed Powys Police Authority assessed and interviewed the candidates for the office of Chief Constable. There were two candidates. The Committee was advised by a representative from HM Inspector of Constabulary who was very critical of one of the candidates, leaving the Committee feeling that it had no option but to appoint the other. Committee members complained about the HMIC representative, including to the Home Office. The issue entered the public domain. The unsuccessful candidate requested copies of relevant correspondence.

The issues in Roberts v IC and Dyfed Powys Police Authority (EA/2012/0032) were whether s. 40(1) or alternatively s. 40(2) applied.

The IC raised s. 40(1) belatedly, arguing that the withheld documents were the requester’s own personal data: the lateness “vexed” the Tribunal, and in any event the s. 40(1) argument was rejected, as the Durant conditions of biographical significance and focus were not met. The IC had sought to apply the definition of “personal data” too widely in a way that went beyond the Durant restrictions.

The s. 40(2) argument concerned the personal data of (a) members of the Appointments Committee (the Tribunal’s answer: disclosure would breach the data protection principles, as they were unpaid public representatives who were not at fault), and (b) the HMIC representative (the Tribunal’s answer: disclosure was for the most part ordered, given the representative’s role, the publicised allegations about her conduct and the fact that disclosure would result in minimal incremental distress).

The case illustrates the ongoing dominance of Durant, the need to distinguish between types of data subject and the relevance of well-founded allegations of wrongdoing or poor conduct by public officials.

Redacting officials’ names: lack of legitimate interest in disclosure

Armit v IC and Home Office (EA/2012/0041) is one of two appearance by the UK Border Agency in this post. The request was for copies of guidance relating to which light vehicles/drivers should be stopped and interviewed and what circumstance should lead to the vehicle being detained whilst a search is undertaken and identity checks undertaken, as well as for statistics about such ‘stops and searches’ carried out at Dover Port. UKBA’s refusal was based in part on s. 40(2): it sought to redact the names of the officials in a document entitled ‘Tourist Selection Indicators and Selection Techniques’. The Tribunal was not very impressed by the arguments that officials would not have expected public disclosure of their names. However, fatal to the requester’s case was the failure to identify a legitimate interest in public disclosure of the names of those officials. The Tribunal concluded that:

“We do not accept the argument that the officials would not have expected their names within the document to be made public and were not given compelling evidence of this. We were given no information as to their specific grading but they were described in the document as ‘lead contributer’ and ‘lead postholder’. They clearly have some responsibility in relation to the work.  We were given no compelling evidence that disclosing their names would result in victimisation, insult or any form of danger.  However, we do accept that the officials would prefer not to have their names identified and that might in itself represent a certain right and freedom or legitimate interests in itself. In any event, to process personal data, it needs to be necessary to pursue the purposes of legitimate interests pursued by others.  In this case, we do not find that the Appellant has shown any legitimate interest in the names of the officials being disclosed to the public under FOIA. We conclude that the information is therefore exempt from disclosure.”

The case illustrates the importance of requesters making out a legitimate public interest in knowing the identity of officials whose names appear in requested documents where those officials are not obviously senior enough for a general accountability argument to suffice.

Neither confirm nor deny: involvement in court proceedings

In Mahajan v IC (EA/2011/0240), the requester sought information about the conduct of criminal proceedings in which he was involved, in particular relating to note-taking, recording, legal aid payments, contributions made by the judge during the hearing and communications between the requester and the court’s administrative staff.

The IC found that the request could be refused on the grounds of s. 40(5) FOIA, the “neither confirm nor deny” exemption for personal data. The argument was that the individuals identified in the requested information would have a legitimate expectation that information that might or might not confirm whether they had been part of an investigation and/or court proceedings would not be released.  A confirmation or denial would, it was argued, reveal some information which was not already in the public domain and was not reasonably accessible to the general public. It would also publicise the existence or otherwise of an investigation and court proceedings involving those named parties.

For some parts of the request, the Tribunal agreed: any answer would reveal personal data the public disclosure of which would breach a data protection principle. For the most part, however, the Tribunal disagreed with the IC. A major aspect of its reasoning was that much of the information related to a public court hearing: therefore, disclosing that an individual had been a judge in that hearing, or had appeared as an advocate would not breach any of the data protection principles. In addition, some of the “data subjects” were in fact not living individuals but commercial entities.

This case illustrates the importance, when taking a “neither confirm nor deny” stance, of assessing why mere confirmation or denial of whether the requested information is held (as opposed to disclosure of that information itself, if held) would breach a data protection principle.

Interestingly, while the Tribunal disagreed with the IC on a number of the s. 40(5) FOIA arguments, it went on to agree with the public authority that those parts of the request were plainly vexatious and could be refused on s. 14(1) FOIA grounds.

Qualifications of legal advisor

In Hodson v IC (EA/2012/0084), the Tribunal decided that information about the professional qualification of an individual fulfilling the role of Legal Adviser to Scunthorpe Magistrates’ Court should be disclosed but that he was not entitled to receive information about the Adviser’s other academic qualifications. Its nuanced approach (i.e. approaching different types of personal data differently) is summarised at its paragraphs 18 and 19:

“In view of the functions performed by Legal Advisers in a Magistrate’s Court, and the impact they are capable of having on those appearing before the court, we believe that there is a strong public interest in knowing that anyone fulfilling the role has the qualification of barrister or solicitor. That is to say the qualification that the Ministry of Justice holds out Legal Advisers as possessing. We believe that, were that information not to be a matter of public record, there would be strong public interest in its disclosure and that this would outweigh the individual’s right to privacy.

It follows that, were the position of Legal Adviser to be held by a person having any other qualification, there would be an equally strong public interest in that qualification also being publicly known. And that would apply whether the qualification was a non-legal one or a legal one that was less than full qualification as a barrister or solicitor. Examples of the latter would include a law degree, Chartered Institute of Legal Executives qualification, or completion of a Legal Practice Course or Bar Professional Training Course. But if the Legal Adviser holds the professional qualification of barrister or solicitor then the public interest in information about any other qualification, whether legal or non-legal, academic or professional, is greatly reduced. Disclosure, in those circumstances would constitute an unwarranted interference with the individual’s rights and freedoms.”

Nationality of opponent in litigation

Someone referred to as AF brought legal proceedings against Mr Philip Brown. Mr Brown incurred considerable costs as a result. He hoped to recover those costs if he won the case. In practice, he could only do so if AF was a British national; if he was a Nigerian national, he was thought likely to return there, putting him effectively beyond the reach of UK jurisdiction for enforcing any costs order. Mr Brown asked the UK Border Agency for “official information showing whether or not [Mr AF] is a UK citizen, or whether he is a Nigerian citizen who is in the UK on some sort of temporary permission”. The request was refused on s. 40(2) FOIA grounds; the Commissioner agreed.

The Tribunal in Philip Brown v IC (EA/2012/0094) also agreed. The requester argued that this was not “personal data”: Mr AF cannot be identified by his immigration status alone since that simply discloses whether he is one of 60  million people (if he is a UK national), or one of 120 million people (if he is a Nigerian national). The Tribunal rejected this as misconceived:

“What he is saying, in effect, is that if an individual is already known to the requester and

can be identified by him through information already held, then any additional information such as his immigration status, cannot be personal data because that does not identify him. Taken to its logical conclusion, it would mean that the Appellant could ask a public authority to disclose a range of information about Mr AF (for example, whether he is gay or straight, a Christian or a Muslim, divorced or single), on the basis that such information would only disclose the category of people to which Mr AF belongs and would not itself identify him.”

The requested information was “personal data” in Durant terms.

The requester also sought to rely on s. 35(2)(a) of the DPA, arguing that disclosure is “necessary for the purposes of, or in connection with, legal proceedings” and therefore that the data protection principles would not be breached. He said he needed the information in order to seek a protective costs order in accordance with the CPR.

The Tribunal considered the meaning of “necessary” in this context: it rejected the IC’s argument that “necessary” means “relevant and proportionate”, preferring Mr Brown’s view that it meant “indispensable, requisite, needful, that which cannot be done without”. The problem was that the requested information would not help with any application for a protective costs order. Condition 6(1) would not be met and s. 40(2) was upheld.

Robin Hopkins

Tags: , ,
Posted in INFORMATION LAW | Comments Off

Update on recent Tribunal decisions part 2: personal data of “low inherent sensitivity”

November 8th, 2012 by Robin Hopkins

The “personal data” provisions under s. 40(2) FOIA and regulation 13 EIR can often be very difficult to apply, particularly in light of the Durant “notions of assistance”, namely biographical significance and focus. It is correspondingly difficult to predict how such arguments will fare before the Tribunal. Two recent cases offer good illustrations. Both saw the Tribunal order disclosure of property-related personal data which was deemed to be of “low inherent sensitivity”.

Council housing

Exeter CC v IC and Guagliardo (EA/2012/0073) concerned a request for the addresses of all residential properties owned by or leased or rented to the Council. The Council refused the request. It was accepted that addresses constitute “personal data”, but the Commissioner considered it to be personal data of “low inherent sensitivity”. He found that disclosure would not breach any of the data protection principles. He ordered disclosure, subject to an exemption for addresses of properties allocated for housing those in need of protection.

The decision notice was upheld on appeal. The following aspects of its decision are notable (Tribunal comments appearing in italics).

As to the Council’s arguments for withholding the addresses:

  • The Council had conducted a survey of residents’ attitudes to such disclosures, but the particular questions and answers did not assist the Tribunal.
  • There was no clear evidence on the extent to which Council properties were already visually identifiable as such.
  • “The Tribunal observes that who owns property is not a private  matter. It has to be publicly recorded and available by way of Land Registry Records (although there is a fee for this information). There are many other ways that the ownership becomes public (e.g. local knowledge, press articles when properties are constructed, news articles and planning records).The Tribunal is satisfied that a tenant cannot therefore have a legitimate expectation that this information would not be disclosed.”
  • The Council argued that disclosure of the list of addresses would identify the residents as Council tenants and, as such, vulnerable, for example to being targeted by those wishing to prey upon individuals who were in financial difficulty. There was, however, no evidence before the Tribunal that disclosure would add to the pre-existing risk of such behaviour.
  • The only information (additional to the fact of the address) that can be discerned about any particular data subject by the disclosure of the disputed information was that they or their predecessor may have been financially unable to meet their housing needs at some time.

As to the arguments for disclosure:

  • “Additionally we are satisfied that there is a proper distinction to be drawn between those living in a Council owned asset and private accommodation, because the Council are accountable to the public for the way  they manage those assets and execute housing policy whereas a private landlord has no such additional public responsibility and that this must impact upon the reasonableness of any expectation that the Council would not publish this information.”
  • Disclosure would enhance transparency in allowing the public to be aware of the Council’s assets (i.e. its housing stock). By knowing how many properties the Council owns and where, the public would be enabled to scrutinise the distribution of Council properties between localities, analyse whether factors (such as levels of educational attainment) are correlated with the extent of Council owned housing in a given area.
  • Knowing the individual addresses would enable the public to see how Council properties are maintained, their state of repair and assess whether areas are under or over provided for.
  • “The Tribunal adds that such disclosure would also enable the public to review the type of housing stock owned and used by the Council and ascertain whether it could be used more efficiently to meet better the      needs of those in housing need. Analysis of the extent to which private      rentals are over or under used and whether this provides value for money      would also be enabled by disclosure of this information.”

Overall, the Tribunal agreed that addresses constitute personal data of “low inherent sensitivity”.

This is the second such case before the Tribunal. The Tribunal in Neath Port Talbot v IC (EA/2011/0037) ordered disclosure of the same type of information in another, less fully reasoned decision last year. While no First-Tier Tribunal decision is binding, the case for withholding such information seems nonetheless increasingly difficult to make out.

Building control applications

Martin and Karen Sharples v IC (EA/2012/0076) is a second recent case in the disclosure of personal data has been ordered in light of its “low inherent sensitivity”. The requesters sought information about building control applications made to Bolton MBC relating to roof conversions to residential properties in a specific cul-de-sac. The Council refused to provide the building control records and site visit notes, relying upon regulation 13 EIR (personal data). The issue was whether the residents/owners involved in those applications could be identified from the redacted records and notes and, if so, whether disclosure would breach any of the data protection principles.

The requesters argued that while they knew enough to identify the property owners from the requested information, a member of the public would not. The Tribunal was satisfied, however, that the owners could be identified – particularly given the availability of Land Registry searches, Google Earth and other ways to find out who lives where.

Like the Council residence addresses in the Exeter CC case however, this application information was considered to be personal data of “low inherent sensitivity”. Disclosure would not breach the data protection principles, in light of the following factors:

  • The information was similar to the sort of information routinely provided to estate agents and in planning applications (which are made public)
  • It would be discernible to a surveyor when the house changes hands
  • Some of the information was visible to the naked eye
  • Much of the information constituted confirmation of normal practice of construction to a fixed standard
  • The data subjects had not been told they could expect confidentiality
  • There was a legitimate public interest in transparency, in particular in being assured that the Council had properly assessed compliance whether the relevant regulations had been complied with

Many requests for personal data fail because the requester has not made out any or any sufficient legitimate interest in public disclosure of information impacting upon privacy. Sharples is interesting in that the emphasis worked the other way: the public interest does not appear to have been very pressing, but the personal data was sufficiently anodyne for disclosure to be the order of the day.

Robin Hopkins

Tags: , , ,
Posted in INFORMATION LAW | Comments Off

« Older Entries