NICK GRIFFIN IN THE TRIBUNAL: APPLICANT BLINDNESS, THE “JOURNALIST’S ROUTE” AND ARTICLE 10

February 10th, 2012 by Robin Hopkins

BNP leader Nick Griffin was convicted in 1998 for publishing material likely to stir up racial hatred. In 2009, Ian Cobain, an investigative journalist at The Guardian, requested sight of all Crown Prosecution Service papers relating to that prosecution. The Commissioner upheld its refusal. In Cobain v IC and Crown Prosecution Service (EA/2011/0112 & 0113), the Tribunal considered 3 exemptions, namely ss. 40(2), 32(1) and 30(1) of FOIA. For the most part, Mr Cobain’s arguments prevailed.

The decision is notable – indeed, essential reading – for a number of its key points. For example: when it comes to journalists requesting sensitive personal data, FOIA is not “applicant blind”. More generally, the decision affirms the importance of FOIA in facilitating investigative journalism. The approach to Article 10 ECHR from the Kennedy “report” is boldly affirmed. General guidance on s. 30(1) is set out. I’ll look at the key points from each exemption in turn. The decision is worth quoting in some detail.

Section 40(2) (personal data)

A number of important points emerge. First, in general, just because information emerged during evidence in a public trial, this does not mean it should automatically be disclosed under FOIA:

“Much of the information… was freely publicised at the trial in 1998… Where the public interest is engaged (as here where s. 30(1)(c) is invoked) it does not by any means automatically follow that such publication in the past determines the question of disclosure today. Most witnesses are entitled to expect that their exposure to public scrutiny ends with the conclusion of their evidence. Those who make statements do so in the expectation that, if not used at trial, they will not surface later.”

Secondly, just because information is in a prosecution file, it does not follow that it is necessarily personal data. The Commissioner was criticised for insufficiently granular analysis:

“It was clear that the broad and unparticularised approach adopted in the First Decision Notice could not be upheld. The fact that it is information held in a file assembled for the purposes of criminal proceedings against Mr. Griffin (see DPA s.2(g)) does not make it sensitive personal data, unless it is personal data in the first place.”

Some of the disputed information was therefore outside s. 40(2) because it was not personal data in the first place. Other information, however, was sensitive personal data. This meant that not only would the usual conditions need to be met (fairness, lawfulness, condition 6(1)) but a Schedule 3 condition was also mandatory. Those can be difficult to meet – unless you are a journalist. Condition 10 triggers the Data Protection (Processing of Sensitive Personal Data) Order 2000. This contains particular “lawful processing” conditions for the purposes of, among other things, journalism: see article 3 of the Order, which also imposes other conditions such as the disclosure being in the “substantial public interest” and “in connection with” issues such as “the commission of an unlawful act”. Paragraphs 31-33 of the Tribunal’s decision contain a useful summary of how the relevant provisions work.

This “journalist’s route” (my term, rather than the Tribunal’s) to obtaining sensitive personal data has been considered in a number of Tribunal decisions. In this case, it was given full effect:

 “Disclosure of the sensitive data would be “in connection with” the commission of an unlawful act (hence the conviction), seriously improper conduct and arguably Mr. Griffin`s unfitness for political office. It would be for the purpose of journalism, Mr. Cobain`s occupation, and would be intended for publication in his newspaper and possibly thereafter, in a book. Given the issues involved, namely racial and/or religious hatred and the right to express even extreme views, we find that disclosure would be in the substantial public interest. We do not consider that the passage of eleven years before the request renders disclosure unfair, or unwarranted by reason of prejudice to Mr. Griffin`s interests nor likely to cause substantial damage or distress to him. In making that judgement we have regard to Mr. Griffin`s age ( 50 at the date of the request, 39 at the date of trial), his continuing political prominence and his apparent claim to be an educated, reasonable and responsible MEP and party leader who has rejected any racial extremism formerly associated with his party.”

How does this “journalist’s route” square with the usual “applicant blindness” FOIA principle? The ICO argued that the latter prevails, such that the former only applies to pure DPA cases, not to FOIA ones. It emphasized the wording of s. 40(3)(a): disclosure to “a member of the public otherwise than under [FOIA]”. It argued that the average member of the public is the reference point for a FOIA disclosure. The average member of the public is not a journalist. The “journalist’s route” therefore has no place in FOIA.

The Tribunal disagreed (as the First-Tier Tribunal has done on a number of occasions now). It relied on the Upper Tribunal’s judgment in the APPGER case on this point, and said that:

 “… a requester who fulfils one or more of the schedule conditions is also a member of the public ( and is not the data processor ) who is receiving the information under FOIA. If this were not so, FOIA would be a valueless tool for the serious researcher, journalist, writer, politician or scholar seeking to investigate serious wrongdoing within the preceding thirty years. If that were the case, it would be reasonable to ask whether FOIA was worth enactment.”

The effect in this case was that s. 40(2) did not apply at all.

Section 32 (court records)

Next, the CPS relied on s. 32, the ambiguous wording of which has opened the door for Article 10 ECHR arguments: see the Kennedy v Charity litigation (Panopticon passim) in which the First-Tier Tribunal’s “report” on the application and effect of Article 10 on s. 32 will be considered by the Court of Appeal later this month. The Tribunal in Cobain wholeheartedly adopted the Kennedy report:

“We adopt with gratitude and respect the very careful reasoning of the report on this issue, which we believe accurately states the law as to Article 10 as recently developed… We do not doubt that s. 32(1) can be read down in a way which is consistent with Article 10. We consider that limiting the restriction in [s. 32(1)] so that it ends once a reasonable time has elapsed after the exhaustion or evident abandonment of the available appeal process would avoid a breach of Article 10.”

Consequently, s. 32 was not available as a ground for refusal in this case.

The Article 10 issue is obviously of enormous importance to the interpretation of FOIA – particularly, but not exclusively for journalists. As things stand, the role of Article 10 is uncertain. At least two other First-Tier Tribunals have heard or will hear argument on it this month (in the contexts of ss. 23, 40(2) and 41); the Court of Appeal will consider it in two cases this month, and the Supreme Court gives judgment in Sugar v BBC next week. Watch this space.

Section 30(1) (investigations)

In the context of this case, this exemption was “unarguably” engaged. The Tribunal made the following observations about the public interest in maintaining this exemption:

“The Tribunal acknowledges the substantial public interest in many circumstances in protecting from disclosure information gathered for the purposes of a criminal case, including the need to offer informants and witnesses protection from public exposure and a prosecuting authority a proper space in which to discuss and decide issues that arise.”

As against that, it said this about the public interest in disclosure:

“On the other hand, the public has a legitimate interest in criminal investigations and resulting court proceedings, especially where the defendant was a prominent political figure charged with an offence of great current importance in proceedings that he was keen to publicise. The passage of time is also a consideration. Legitimate public interest in such a case continues due to the profile of the defendant but the risk of any impact on the resulting proceedings disappeared long ago. More importantly, the relevant information in this appeal does not include statements from potentially vulnerable witnesses or highly sensitive material”.

The Tribunal therefore concluded that, in general, the public interest favoured the disclosure of the disputed information in this case, except for three categories which could properly be withheld.

On s. 30(1), this decision is a useful summary of the most relevant considerations. It is on ss. 40(2) and Article 10, however, that it has given a fresh boost to requesters.

Robin Hopkins

Tags: , , , , ,
Posted in INFORMATION LAW | Comments Off

UPDATE ON RECENT TRIBUNAL DECISIONS

January 11th, 2012 by Rachel Kamm

The First Tier Tribunal (Information Rights) has had a busy start to 2012, with 7 decisions on its website already.

The first judgment out was Herbert v ICO and West Dorset District Council, EA/2011/0157. The appellant sought correspondence concerning the transfer to the Council of property previously owned by Lyme Regis Borough Council. The Council refused the request on ground that it was vexatious. The history of this case related to incidents and disputes regarding a different matter, between the appellant and the Council dating back to 1992, which culminated in 1996 when the Council revoked a license held by the appellant. The ICO agreed that the request was vexatious. The appellant submitted that he had a genuine interest in the history of Lyme Regis and that he believed that some historical documents were missing from the National Archives and that they had been retained by the Council because they related to illegally acquired property. The Council had previously allowed him to research their archives on another matter and he wished to be able to do so again to look for these missing documents. He said that he had expected the ICO to contact him so that he could put forward further arguments. The FTT agreed with the ICO and the Council that the request had been made under FOIA (and not the EIRs). The FTT set out the key principles that have been applied by Tribunals in considering whether requests were vexatious under s14 FOIA. The FTT considered the background and found that the appellant’s request was obsessive. Further, the request had the effect of harassing the Council (even though the language was not hostile), as allegations of illegality and impropriety were made at the same time as the requests and there was a context of a high volume of correspondence. The Council had made extraordinary efforts to accommodate the appellant’s requests over a considerable period of time and valuable resources of time and effort have been used which could otherwise have been used more productively. In the view of the FTT, to accommodate this request would constitute a further and significant burden on the Council. The FTT concluded that the request was vexatious.

The next decision to be promulgated was King v ICO, EA/2010/0126. The appellant sought from the ICO records of complaints where Crawley Borough Council had failed to comply with FOIA/EIRs and the ICO never served a ‘decision notice’. The ICO refused the request on ground that the information  consisted of ‘third party information’ that was exempt from the requirements of disclosure. It did not identify the exemption relied on for refusing to disclose the information. However, it did provide the appellant with a summary of the information requested. Further information was provided by the ICO in response to the appellant’s request for a review of the decision. The appellant then asked for the information with just the personal details of individuals removed. The ICO refused, citing s.44 FOIA, as exempting information that is prohibited from disclosure under another Act, namely s.59 DPA (which prevents disclosure of information collected in the course of an investigation where there is no lawful authority to do so). The appellant requested  review of this decision. In subsequent correspondence, the ICO  relied on s.40 FOIA (the data protection exemption). The appellant then asked the ICO to make a decision under s.50 FOIA as to whether it had complied with the Act. Having previously been acting in its capacity as a body which was itself subject to FOIA, the ICO then changed back to its normal hat. The ICO said that it was reversing its decision and it provided the appellant with the  letters which had been sent to the Council in the cases alleging non-compliance with FOIA, with personal data redacted. The appellant disputed that this resolved his request; he also wanted the documents from the individuals making complaints and from the Council. The ICO denied that these had been within the scope of his original request. The ICO subsequently issued a decision notice stating that it had provided the appellant with the information requested, but that it had breached FOIA (including by not holding an internal review at the right stage, by not providing the information at the outcome of the internal review and by not acting within the time-scales in the Act). The appellant appealed, arguing that the ICO had not provided all information which fell within the scope of his request, had misinterpreted his request and had breached the duty to provide advice and assistance. In relation to the scope of the request, the FTT criticised the ICO for not having properly analysed the request but found that in fact it had provided all information that fell within the scope of the request. The appeal therefore failed. The FTT also found that the ICO was not in breach of the duty to provide advice and assistance; the appellant argued that the ICO should have asked him to clarify his request, but the FTT found that this was not necessary because the request was in any event clear and adequately specified the information sought. This case very much turned on its facts, but it is interesting to see the application of FOIA to the ICO as a public authority and it is also a useful reminder to carefully read the request from the outset.

The third decision out in 2012 was Newcastle Upon Tyne Hospital NHS Foundation Trust v ICO, EA/2011/0236. This appeal was struck out because the judge considered that there was no reasonable prospect of it succeeding. The disputed information was statistics about the number of people dismissed over a three year period. The Trust refused to provide the information, on ground that it was reasonably accessible (s.21 FOIA) by way of an application in the employment tribunal litigation. The Trust subsequently provided the information voluntarily. The ICO found that the Trust had misapplied s.21 FOIA. The Trust appealed, arguing that “The point at issue is one of prioritising the correct forum by which information is provided. The Trust point is that once proceedings are issued, the correct forum lies within the proceedings that have been issued, in this case the Employment Tribunal“. Not surprisingly, the judge found that this argument had no reasonable prospect of success. FOIA rights are not put on hold if there is litigation between the parties. Further, information obtained under FOIA can be used for any purpose whereas information obtained in litigation can only be used for that purpose and so litigation disclosure is not an answer.

Cross v ICO, EA/2011/025 is also a strike out decision. The appellant sought from Havant Borough Council a building control decision notice, plans and inspection records relating to a loft conversion to his home carried out in 1987. The Council refused the request under the EIRs, on ground that it was not held at the time of receipt of the request. The appellant believed that he had seen these documents on a visit to the Council and that, whilst it was possible that they had subsequently disappeared, his appeal should not be struck out. However, the Council had conducted a six day trawl for the information and the judge found that it was obviously willing to provide the information if it could be found. The appeal was therefore struck out as having no reasonable prospect of success.

Finally, in Martyres v ICO and NHS Cambridgeshire, EA/2011/020, the FTT dismissed an appeal by an appellant who sought all information held by NHS Cambridgeshire (and its relevant community services provider), in respect of her deceased mother who had died on 29 August 2009 including information about the care received by her mother at a care home she was staying at prior to her death. The appellant argued that she was the next of kin, proposed executor and trustee of one of the Wills and had a valid claim against her mother’s estate under the intestacy  rules. In relation to s.41 (FOIA), the FTT found that the information was obtained from another person (social care professionals), it possessed the necessary quality of confidence and disclosure would constitute such an actionable breach of confidence. The FTT further concluded that s.21 FOIA did not apply, in that the appellant would not have been able to obtain the disputed information under the Access to Health Record Act 1980 (as the appellant claimed); whilst she was the nearest relative, she was not the personal representative. The FTT also dismissed the appellant’s arguments under the Human Rights Act 1998.

Rachel Kamm

Tags: , , , , , , , , ,
Posted in Uncategorized | Comments Off

FROM NAKED PHOTOS TO NUCLEAR ENRICHMENT: ROUNDUP OF NEW TRIBUNAL DECISIONS

September 26th, 2011 by Robin Hopkins

The past week saw a slew of new decisions from the First-Tier Tribunal. Here is Panopticon’s highlights package.

Sections 41 (information obtained in confidence) and 43 (commercial prejudice)

In DBIS v IC and Browning (EA/2011/0044), the requester (a Bloomberg journalist) had sought information from the Export Control Organisation in connection with licences issued for the exporting to Iran of “controlled goods” – explained by the Tribunal as “mainly military, dual use (potentially military), equipment designed for torture or repression or sources of radio-activity”. The relevant public authority, the Department for Business, Innovation & Skills, refused the request, relying on sections 41 and 43. The IC found for the requester on the narrow basis that, whilst disclosure would result in a breach of confidence, no commercial detriment would be suffered by the licence applicants as a result. Subsequent evidence from the Department persuaded the IC to change position and support the appeal, which was resisted by the applicant. In a decision which turned on the evidence, the Tribunal allowed the appeal, and found both sections 41(1) and 43(2) to be effective.

Section 42 (legal professional privilege)

Two recent decisions on this exemption. Both saw the Tribunal uphold the refusal, applying the established approach under which this exemption has a strong in-built public interest. Szucs v IC (EA/2011/0072) involved an FOIA request about an earlier FOIA request (the appellant requested the legal advice and associated documents provided to the Intellectual Property Office about how to deal with a previous FOIA request made by the appellant’s husband). Davis v IC and the Board of Trustees of the Tate Gallery (EA/2010/0185) is eye-catching primarily because it concerned the Tate’s legal advice concerning the inclusion in an exhibition of a photograph of the actress Brooke Shields, aged ten, naked, entitled “The Spirit of America” (the Tate had initially proposed to include this in an exhibition, but ultimately withdrew the photograph).

Section 40 (personal data)

Beckles v IC (EA/2011/0073 & 0074) concerned the identifiability of individuals from small sample sizes, in the context of information about dismissals, compromise agreements and out-of-court settlements. The appellant asked Cambridge University for information on (among other things) the number of employees who received post-dismissal settlements. The answer was a low number. He asked for further details concerning the settlement amounts, rounded to some appropriate non-exact figure. This, said the Tribunal (applying the Common Services Agency/Department of Health approach to identifiability from otherwise anonymous figures) was personal data, the disclosure of which would be unfair. Its reasoning is summed up in this extract:

“Information as to the settlement of a claim made by an identified individual relating to his or her employment is undoubtedly personal data. The question is whether the four individuals or any of them could be identified if the information requested were disclosed, even in approximated form…. Cambridge University is made up of a large number of much smaller academic or collegiate communities. It is likely that a number of colleagues or friends will be aware that a particular individual settled a claim with the University within the time-scale specified. They will be aware of the general nature of that person`s employment. This is a small group of claims in a relatively short period. In the form originally requested it is readily foreseeable that one or more of the four will be identified.”

Sections 24 (national security) and 27 (international relations)

Burt v IC and MOD (EA/2011/0004) concerned information gathered by staff of the UK Atomic Weapons Establishment on an inspection visit to a United States atomic energy facility, as a learning exercise regarding the proposed development of an enriched uranium facility at Aldermaston. The US had expressed its desire to maintain proper confidence in what it regarded as a sensitive area. The MOD refused the request, relying on sections 27 and 24. By the time of the appeal, only a small amount of information had not been disclosed. This was primarily of a technical nature, containing observations about the operation of plant, machinery, procedures and processes at the US facility.

The Tribunal upheld the MOD and Commissioner’s case as regards the outstanding material. As regards section 27, the Tribunal applied the principles from Campaign against the Arms Trade v IC and MOD (EA/2006/00040). It observed, however, that confidential information obtained from another country would not always be protected by section 27: it was “perhaps axiomatic that the foreign State will take the United Kingdom as it finds it including but not limited to the effect of its own domestic disclosure laws. It follows that there may well be cases where information otherwise imparted in confidence from a foreign State to a United Kingdom authority would need to be considered on its own merits as to whether some form of disclosure should be made or ordered whether under FOIA or under similar analogous legislation or principles such as the UK data protection principles.”

As regards section 24, the Tribunal applied Kalman v IC and Department of Transport (EA/2009/0111) (recourse to the exemption should be “reasonably necessary” for the purpose of safeguarding national security), and Secretary of State for the Home Department v Rehman [2003] 1 A 153 (the threat to national security need not be immediate or direct).

Burt is also an example of a “mosaic effect” case: taken in isolation, the disputed information may appear anodyne, but the concern is with how it might be pieced together with other publicly available information.

Section 14(1) FOIA (vexatious requests)

Dransfield v IC (EA/2011/0079) is an example of the Tribunal overturning the Commissioner’s decision that section 14(1) had been engaged (for another recent example, see my post here). As with many such cases, the history and context were pivotal. Given that it is the request, rather than the requester, which must be adjudged to be vexatious, how should the context be factored in? The Tribunal gave this useful guidance:

“There is, however, an important distinction to be drawn between taking into account the history and context of a request, as in the cases referred to above, and taking into account the history and context of other requests made by a requester or other dealings between the requester and the public authority. The former is an entirely proper and valid consideration. The latter risks crossing the line from treating the request as vexatious, to treating the requester is vexatious. That line, in our view, was crossed in the present case.”

Robin Hopkins

Tags: , , , , , , , , , , , , , ,
Posted in INFORMATION LAW | Comments Off

IS FOIA ALWAYS MOTIVE BLIND? TRIBUNAL DECISION ON SEX OFFENDERS’ SENSITIVE PERSONAL DATA

September 16th, 2011 by Robin Hopkins

In Colleen Smith v IC and Devon & Cornwall Constabulary (EA/2011/0006), the requester asked for information on the number of school teachers in specified towns who had been investigated, cautioned and charged under the Sexual Offences Act 2003 between January 2005 and November 2007. The Constabulary eventually relied on the personal data at section 40(2) FOIA.

The Commissioner found that, where the answer was “zero”, this was not personal data and should be disclosed; otherwise, the information could be withheld under section 40. The Tribunal has upheld this decision, albeit for different reasons.

This decision is worth noting on a number of grounds.

First, this is a good illustration of the approach from Department of Health v IC [2011] EWHC 1430 (Admin) (the “abortion statistics” case – see my post here) to the definition of “personal data” in the context of apparently anonymous statistics. Here the Tribunal considered both the disputed information concerning numbers of alleged sex offenders and the “other information” held by the Constabulary, and was satisfied that living individuals could thereby be identified. Furthermore, for obvious reasons, this constituted “sensitive personal data”.

Secondly, the Tribunal turned to fairness of disclosure. As regards reasonable expectations of data subjects, it concluded (for confidential reasons, and notwithstanding that one can generally assume sensitive personal data will not be disclosed) that the data subjects in these circumstances could have had no reasonable expectation that these statistics would not be disclosed at the relevant time, i.e. late 2007.

Thirdly, the Tribunal also disagreed with the Commissioner that disclosure created a risk of harm to the suspected offenders at the relevant time.

Fourthly, the Tribunal considered whether a condition from Schedule 3 of the DPA 1998 would be met. It did so by asking itself whether paragraph 3 of the Schedule of the Data Protection (Processing of Sensitive Personal Data) Order 2000 applied. That concerns, inter alia, disclosure of information concerning alleged unlawful acts for “special purposes” such as journalism. Disclosure must, however, be “in the substantial public interest”.

The “special purpose” of journalism highlights the following important reminder. It is by now axiomatic that FOIA is “motive blind”. However, the cases of Ferguson v IC (EA/2010/0085) (on which, see my post here) and Brett v IC (EA/2008/0098) imposed an important gloss on that principle. The Tribunal in Ferguson summed up the point thus:

“It is often stated that requester’s rights under FOIA are purpose-blind, in the sense that an applicant’s personal identity and motives for requesting information are irrelevant. This generalisation can mislead. There are some cases in which the applicant’s identity and motives may shed light on the public interests involved. More significantly, the applicant’s identify and motives can be of direct relevance to the exemption in FOIA s40(2) because of the provisions of DPA disclosure and to the interests pursued by the persons to whom the disclosure would be made. For example, a journalist or author may be able to outflank the s40(2) exemption by reliance upon DPA Schedule 3 condition 10 and paragraph 3 of the Schedule to the Data Protection (Processing of Sensitive Personal Data) Order 2000, where it is in the substantial public interest that wrongdoing should be publicised.”

The Tribunal in Smith agreed. The appeal, however, failed because disclosure of this information would not be “in the substantial public interest”.

The Tribunal thought it “reasonable to assume… that the public had an ongoing need for reassurance as to the level of activity by sexual offenders in particular localities and transparency and accountability in what the police were doing about it”. The threshold of “substantial public interest”, however, required a certain level of urgency in the need to reassure the public. That threshold was not met here.

In reaching this conclusion (which the Tribunal described as “finely balanced”), the Tribunal took into account: the evidence as to the machinery for the monitoring and supervision of sex offenders in the community; the risk of vigilantism, which can force suspects to “disappear”, which in turn increases the risk of reoffending. It added that:

“It was not enough, in the Tribunal’s view, that sexual offences by teachers or others in positions of trust was a matter of keen interest to the public. This, on its own, did not make disclosure “in the substantial public interest”. It was the Tribunal’s task to weigh against the wholly understandable concern felt by members of the public on this subject, the detrimental effects that disclosure could have.”

The upshot was that, although disclosure would be fair, section 40(2) took effect because no Schedule 3 condition would be met.

Robin Hopkins

Tags: , , , , ,
Posted in INFORMATION LAW | Comments Off

CONSTRUCTION WORKER ‘BLACKLISTING’ DATABASE – NEW TRIBUNAL DECISION

July 29th, 2011 by Robin Hopkins

The Tribunal has this week given its decision in Ritchie v IC (EA/2010/0041). The case involved a “blacklist” which had been compiled and maintained by an organisation called the Consulting Association. The database consisted of the names and personal details of workers in the construction industry who had engaged in trade union or other activities in furtherance of employment rights. A number of major companies in the construction industry paid annual subscriptions and, as potential employers, were able to access individual records for a fee. The ICO investigated the matter, successfully prosecuted the proprietor of the Consulting Association and seized the database. It invited potentially affected workers to make subject access requests whereby they could receive information about them held in the database.

The General Secretary of the union UCATT subsequently requested from the ICO all files containing references to a number of named trade unions. This was one of the (relatively rare) cases in which the ICO was both the public authority and the regulator.

The ICO refused the request, relying on section 44 FOIA (disclosure prohibited under an enactment) in combination with section 59(1) DPA, which (to paraphrase and summarise) prohibits disclosure of information obtained by the Commissioner “under or for the purposes of the Information Acts” unless there is “lawful authority” for that disclosure. The Tribunal has upheld that refusal.

No commentary from me on this one, given my involvement in the case. I shall, however, point out that the decision covers the following issues: scope of the request; whether information is “publicly available”; the meaning of “lawful authority” under section 59(1) DPA; whether requests by unions are made with the “consent” of members; whether disclosure would be ”necessary in the public interest”; personal data; Articles 9, 10 and 11 of the ECHR.

Robin Hopkins

Tags: , , , ,
Posted in Uncategorized | Comments Off

“SANDSTORM” PERSONAL DATA AND THE BCCI COLLAPSE

July 19th, 2011 by Robin Hopkins

The Tribunal’s recent decision in Sikka v IC and HMT (EA/2010/0054) is a good illustration of how FOIA exemptions (here concerning prejudice to international relations and personal data) may be trumped by the overwhelming interest in the public being informed about corporate wrongdoing on a massive scale – including the public knowing the names of those involved in that wrongdoing. Some topical resonance perhaps.

It is also another useful illustration of how personal data should not be assessed on a “one size fits all” basis, but should (where appropriate) be analysed by category. In other words, distinguish between, for example, companies, senior management, employees and customers.

Background

In March 1991, the Bank of England instructed Price Waterhouse to undertake an audit of The Bank of Credit and Commerce International. Price Waterhouse submitted a draft of its report, known as the “Sandstorm” report. The report was never finalised, but the Bank of England relied on the draft to justify its decision to order BCCI immediately to close down its activities in the UK. That led to the collapse of BCCI into insolvency, owing creditors around the world something in the region of US$10 billion.

By the time of the request for a copy of this report (March 2006), an almost complete copy of the Sandstorm Report had been published on the internet, even though it had never been formally published by the Bank of England, albeit with certain names redacted and certain sections missing. The Bank of England relied upon section 40(2) (personal data) and section 27(1)(a) (prejudice to international relations) in refusing to disclose this remaining information. The Commissioner agreed. For the most part, the Tribunal did not.

Prejudice to international relations

The Tribunal agreed that section 27(1)(a) was engaged, but decided that the public interest favoured disclosure. At paragraph 31, it said this:

“Although the material proposed to be redacted under this exemption comprises just a few sentences in a 44 page report, it does contribute a very relevant element to the story as a whole. And we do not think that the public interest is materially reduced by the appearance of much of the same information in other published reports. The public has an interest in seeing how each of those who carried out an investigation illuminated the facts and assessed the actions of those who were involved, whether they contributed to the problems, tried to resolve them or played a neutral role. The weight we apply to this element of public interest has been heavily influenced by our view of the importance of the events surrounding the collapse of BCCI, the serious ramifications it had for many innocent people caught up in it and the questions it raised about the regulation and auditing of a large international institution.”

Personal data

A number of categories of allegedly personal data were identified. An interesting category was the names of companies, from which it was argued that individuals could be identified. The Tribunal was not persuaded by the evidence as to the risk of identifiability.

In any event, as regards senior management, it took the view that “those having [such] positions in either BCCI or other organisations that were closely involved in the unlawful elements of its activities should be identified”, given the seriousness of the issue.

The Commissioner had decided that the names of employees should not be disclosed, whether or not their involvement with BCCI had previously been raised in the course of criminal proceedings. He argued as follows. If they had been convicted, it might be unfair to raise their involvement again some 15 years or more after the event. If they were acquitted, or faced no criminal action, there would be unfairness in blighting future employment prospects by disclosing, in 2007, their involvement with BCCI some years previously. The Tribunal disagreed in part. Its view was that the question of disclosure in these circumstances should turn on the seniority of the employee. At paragraph 44, it said this:

“As regards the potential impact on future employment prospects of those who were acquitted or never prosecuted, we believe that any truthful job application and curriculum vitae will, in any event, include mention of time spent in the employment of BCCI. We do not think that those individuals mentioned in the confidential schedule, whose names we say should be disclosed, should be encouraged to omit or misrepresent this part of their career history, given the criticism voiced in the Sandstorm Report and the importance of employee competence and honesty to future employers in the banking sector.”

As regards the personal data of BCCI customers, the Tribunal distinguished between those whose hands were clean with respect to the BCCI fraud (do not disclose) and those whose hands were not (disclose).

Much turned on the gravity and public profile of the BCCI collapse. In these circumstances, the Tribunal found that information aired in a public trial was likely to remain in the public domain (contrast Armstrong v IC and HMRC (EA/2008/0026)), and that the passage of time undermined rather than strengthened the argument in favour of individual privacy.

Robin Hopkins

Tags: , ,
Posted in INFORMATION LAW | Comments Off

PERSONAL DATA: CRUCIAL POINTS FROM THE ‘ABORTION STATISTICS’ CASE

June 14th, 2011 by Robin Hopkins

Judgment in Department of Health v IC [2011] EWHC 1430 (Admin) – the ‘abortion statistics’ appeal – was handed down on 20 April this year. Cranston J’s judgment has now been made available. The following salient points from that judgment may be of use to those interested in the concept and extent of ‘personal data’ under s. 40 FOIA and the DPA – especially when looking at the grey area of statistics or other anonymous data which is rooted in or derived from other data which is more overtly personal. The judgment is also essential reading for anyone grappling with the application of the leading House of Lords decision on this subject, Common Services Agency v Scottish Information Commissioner [2008] UKHL47, [2008] 1 WLR 1550 (‘CSA’). (‘Grappling’ is probably apt: even Cranston J conceded that “it would be wrong to pretend that the interpretation of the CSA case is an easy matter”).

Briefly by way of background: the Department refused a request for detailed statistics on the number of late-term abortions carried out on prescribed grounds. It relied on s. 40 FOIA, basing its case on the risk that, given the ‘low cell counts’ in these categories, the relevant patients and/or doctors might be identified by those sufficiently motivated to do so. The Commissioner found that these statistics were not personal data. The Information Tribunal agreed with the Department that they did constitute personal data, but was not satisfied that s. 40 was effective, as there was insufficient risk of identification.

On the Department’s appeal to the High Court, Cranston J agreed with the Commissioner that these statistics are not personal data.

One route to that conclusion was that advocated by the Commissioner, namely to adopt the approach of Baroness Hale in CSA: anonymised statistics remain personal data and therefore subject to the protection of the DPA in the hands of the data controller (who possesses the underlying data from which individuals could be identified) but not in the hands of the general public (who do not). This approach commended itself to the Upper Tribunal in the recent case of All Parliamentary Group on Extraordinary Rendition v Information Commissioner [2011] UKUT 153 AAC (on which, see my post here).

Cranston J, however, rejected that route, as it was the reasoning of Lord Hope rather than Baroness Hale in CSA which had attracted the majority’s support in that case. Lord Hope’s approach can be paraphrased as follows. The definition of personal data under s. 1 DPA provides for two means of identification: either from the data itself (inapplicable in the case of anonymous statistics) or from “from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”. Lord Hope’s approach to situations such as this is to ask: does the ‘other information’ (if provided to the hypothetical member of the public) add anything to the statistics which would enable them to identify the underlying individuals? If the answer is no, the statistics are not personal data. The underlined words are important: if identification can be achieved from the ‘other information’ in isolation (rather than when added to the statistics) then the statistics themselves are truly anonymous, and are not personal data. The statistics in this case failed Lord Hope’s test, and were thus not personal data.

Cranston J’s conclusion was that the Tribunal had been correct to conclude that the data was ‘truly anonymised’ – but it had erred in treating this as personal data which had been truly anonymised. The Department contended that, because it held the underlying identification data, the abortion statistics remained personal data in all circumstances. Cranston J rejected this submission, stating that:

“If that were the case, any publication would amount to the processing of sensitive personal data…  Thus, the statistic that 100,000 women had an abortion in a particular year would constitute personal data about each of those women, provided that the body that publishes this statistic has access to information which would enable it to identify each of them.  That is not a sensible result and would seriously inhibit the ability of healthcare organisations and other bodies to publish medical statistics”.

In going on to dismiss the Department’s other grounds of appeal, Cranston J made a number of other points of general application. For example, in rejecting the criticism that the Tribunal had failed adequately to engage with the Department’s expert evidence, Cranston J said this:

“To begin, the issue before the Tribunal was one of assessment: the likelihood that a living individual could be identified from the statistics.  That was in my judgment only partly a question of statistical expertise, as regards matters such as the sensitivity of the data.  Partly, also, it was a matter of assessing a range of every day factors, such as the likelihood that particular groups, such as campaigners, and the press, will seek out information of identity and the types of other information, already in the public domain, which could inform the search.  These are factors which the Tribunal was in as good a position to evaluate as the statistical experts, a point which one of the Department of Health’s experts conceded.  The analysis also applies to the evidence of senior civil servants.”

As regards the Department’s contentions that conditions from Schedules 2 and 3 of the DPA were not met, their points were “wounding” to the Tribunal’s judgment, but not “fatal”, in light of the evidence at the Tribunal hearing. Finally, Cranston J described the Department’s argument based on Article 8 ECHR as “very much a jury argument”.

Interestingly, on the same day as judgment was given in this case, the High Court (Kenneth Parker J) gave judgment in R (BT & Anor) v The Secretary of State for Business, Innovation and Skills [2011] EWHC 1021 (Admin)  – BT’s unsuccessful application for judicial review of the Digital Economy Act 2010 (on which, see my piece here). One of the grounds of challenge was alleged non-compliance with the Data Protection Directive. In that judgment, IP addresses (anonymous strings of numbers linked to internet subscribers’ accounts) were treated as personal data even in the hands of copyright owners who possessed only those IP addresses. This was by application of the definition of personal data under the Directive: here copyright owners were deemed likely to come into possession of the underlying personal data when taking legal action against the individual internet subscribers who downloaded content in breach of copyright. This conclusion was reached independently of the Lord Hope test. Note, however, that it seems from the judgment that this question – are IP addresses always personal data or not – was not argued in full before Kenneth Parker J. There is talk of a potential appeal, so the application of these principles to IP addresses might be considered in the courts again before too long.

Robin Hopkins

Tags: , , , ,
Posted in INFORMATION LAW | Comments Off

PERSONAL DATA, REPEAT AND VEXATIOUS REQUESTS AND INVESTIGATIONS

June 7th, 2011 by Rachel Kamm

In Jeffery Lampert v IC and Financial Services Authority EA/2010/0203, the appellant was involved in a long running dispute with a bank, which had called on his guarantee of a loan and commenced bankruptcy proceedings against him. His MP had raised the matter with the FSA and the appellant believed that this had led to at least one investigation of the bank. The appellant subsequently made a freedom of information request for information held by the FSA recording the outcome of investigations into the bank about the matter and the calculation of the bank’s loss. The Information Commissioner found that any information falling within the scope of the request was the appllant’s personal data and therefore absolutely exempt from disclosure under FOIA. The First-Tier Tribunal found that:

  • there had been no investigation by the FSA of the bank and there was no document in existence which contained a calculation of the bank’s loss;
  • any information falling within the scope of the request would not have been the appellant’s personal data; applying Durantthe Commissioner was wrong to decide, in effect, that, merely because the information requested arose from the appellant’s complaints, it all constituted his personal data;
  • the FSA was entitled to rely on section 14(1) FOIA, in that this was a repeat request and a reasonable interval had not elapsed since the previous substantially similar request; and, further
  • there was ample material from which it could be found that the appellant’s request was vexatious.

In Public Prosecution Service for Northern Ireland v IC and John Collins EA/2010/0109, Mr Collins requested the PPS documentation (excluding names and addresses) relating to a particular criminal damage case. It was not in dispute that section 30(1) FOIA was engaged and the only issue for the First-Tier Tribunal was whether the public interest in maintaining the exemption outweighed the public interest in disclosure. The Tribunal accepted that it had to take into account the need for prosecutors to have a safe space in which to decide whether or not a case met the threshold for pursuing a prosecution, without fear of frank assessments being publicised after the event. Eroding this safe space would undermine the independence of prosecution authorities, compromise the quality of decision making, potentially deter witnesses from co-operating and undermine (without good reason) public confidence in those authorities. The Tribunal held that these factors attracted very substantial weight. The Tribunal found, having considered the disputed information, that there was no reason to suspect that the prosecuting authority had made substantial mistakes in this case. The public interest in maintaining the exemption therefore clearly outweighed the public interest in disclosure.

Tags: , , , , ,
Posted in Uncategorized | Comments Off

EXTRAORDINARY RENDITION UPPER TRIBUNAL APPEAL: LATE RELIANCE, PERSONAL DATA & OTHER ISSUES

April 26th, 2011 by Robin Hopkins

The All Party Parliamentary Group on Extraordinary Rendition (APG) requested information from the Ministry of Defence on (i) memoranda of understanding between the UK and the governments of Iraq, Afghanistan and the USA regarding the treatment of prisoners detained in the conflicts in Iraq and Afghanistan, (ii) a copy of the Detentions Practices Review, (iii) a copy of the UK’s policy on capture and joint transfer, and (iv) statistics on detainees held in Iraq and Afghanistan. The MOD refused the requests, relying on a number of exemptions under FOIA. For the most part, the Commissioner agreed. APG’s appeal was expedited to the Upper Tribunal and heard by Blake J, Andrew Bartlett QC and Rosalind Tatam.

Except as regards request (iii), its appeal has succeeded, to a limited but substantial extent. The Upper Tribunal has ordered disclosure or significantly more information than that ordered by the Commissioner.

Its judgment (available here) is complex. Some of the key points of interest are as follows.

Late reliance

The Upper Tribunal was mindful of the decision of a differently constituted Upper Tribunal in the DEFRA/Brikett appeals, where it was held that public authorities may rely on exemptions as of right at any stage in proceedings. In this case, the Upper Tribunal did not need to decide the issue of late reliance, but it did confess to having “some general concerns” about such an approach, which threatens to “turn the time limit provisions of ss. 10 and 17 almost into dead letters”, and “can also create a strong sense of injustice”. The internal review mechanism provides sufficient time for the public authority to make its mind up; if new points are taken thereafter, “then fairness requires that the requester should be allowed to add to the terms of his complaint under s. 50(1)”.

Cost of compliance under s. 12 FOIA

The Upper Tribunal approved principles from Urmenyi v IC and LB Sutton (EA/2006/0093) concerning the Commissioner’s enquiries into the assumptions behind the public authority’s estimate, and from Roberts v IC (EA/2008/0050) about the activities falling within s. 12 and the reasonableness of estimates.

Late reliance on s. 12 is a different matter to late reliance on exemptions under Part II of FOIA. Delay by a public authority robs the requester of the opportunity to split the request into parts separated by 60 days, thereby avoiding s. 12. The cost exemption “only has meaning if the point is taken early on in the process, before substantial costs are incurred” – it looks at whether costs would exceed, not whether they have been exceeded.

In the present case, the MOD’s estimate was not reasonable because it was based upon a search for a broader class of information than that which was actually requested.

Prejudice to international relations under s. 27 FOIA

The Upper Tribunal was not persuaded that this exemption was effective: “since the maintenance of the rule of law and protection of fundamental rights is known to be a core value of the government of the United Kingdom, it is difficult to see how any responsible government with whom we have friendly relations could take offence at open disclosure of the terms of an agreement or similar practical arrangements to ensure that the law is upheld”.

Legal professional privilege under s. 42 FOIA

This exemption was engaged, and the public interest in favour of disclosure of the UK’s Detention Practices Review did not outweigh the public interest in maintaining the exemption.

Bodies dealing with security matters under s. 23 FOIA

The MOD successfully relied on this exemption – including where it was relied on “late”.

Personal data under s. 40 FOIA and the conditions in Schedule 2 DPA

Information on the dates and locations of individual cases of detention and prisoner transfer would not enable identification of those individuals, and was thus not personal data. If it had been personal data, condition 6(1) from Schedule 2 DPA would have been met.

APG in fact submitted that conditions 4, 5(a), 5(d) and 6(1) would be met by disclosure of statistics on detainees. The MOD submitted that a number of these conditions could not be relied on in the context of a request under FOIA because the public at large (to whom disclosure under FOIA is deemed to be made) cannot fulfil these conditions. The Upper Tribunal disagreed: at least some of these conditions can be fulfilled by a member of the public, and that is sufficient.

APG further relied on s. 35(2) DPA, which provides an exemption from the non-disclosure provisions of the DPA where disclosure is “necessary for the purposes of establishing, exercising or defending legal rights”. The Upper Tribunal confirmed that “establishing” for these purposes had the sense of “vindicating” rather than merely determining what the relevant rights are.

Where data is anonymised, it continues to attract the protection of the data protection principles insofar as it is in the hands of the data controller (who holds the key to identification of the otherwise anonymous data subjects). “But outside the hands of the data controller, the information is no longer personal data, because no individual can be identified… the best analysis is that disclosure of fully anonymised information is not a breach of the [DPA] because at the moment of disclosure the information loses its character as personal data”. The publication of truly anonymised or other “plain vanilla” data therefore does not involve “processing of personal data” for DPA purposes.

Related judgments

On the late reliance issue, permission to appeal to the Court of Appeal is being sought in the DEFRA/Birkett case.

On the s. 40 FOIA issue, the Upper Tribunal’s decision needs to be read in conjunction with the High Court’s decision (also handed down very recently) in the Department of Health’s “abortion statistics” appeal.

Tags: , , , , , , ,
Posted in INFORMATION LAW | Comments Off

TWO HIGH COURT ‘PERSONAL DATA’ JUDGMENTS: DIGITAL ECONOMY ACT 2010 AND ABORTION STATISTICS

April 20th, 2011 by Robin Hopkins

The High Court has today handed down two judgments of some significance in the context of personal data.

This morning, Kenneth Parker J gave judgment in the application brought by BT and TalkTalk for judicial review of the Digital Economy Act 2010 (on which, see my earlier discussion here). The Act seeks to combat illegal file-sharing by allowing copyright owners to detect apparently unlawful online activity and report it to the suspect’s internet service provider, who must then warn the suspect against repeat infringements. The claimants contended, among other things, that this regime breached EU data protection law. Their claim failed on this and three other grounds, succeeding only with their fifth ground, which contended that internet service providers should not have to foot 25% of the bill for the regime imposed by the Act. Read the DCMS’ press release here.

This afternoon, Cranston J gave judgment in the “abortion statistics” appeal (on which, see my earlier Panopticon post here). The Information Tribunal had upheld the Commissioner’s decision to order disclosure of “low cell count” statistics as to the number of abortions carried out on specified grounds. Argument had focused on the risk of doctors, and in particular patients being identified. The Department of Health’s appeal to the High Court was dismissed. The judgment represents a notable development in jurisprudence on personal data.

More analysis to follow when these judgments are made available.

Tags: , , , ,
Posted in INFORMATION LAW | Comments Off

« Older Entries