Section 40 FOIA provides for a number of exemptions in respect of ‘personal data’. The exemption which is most frequently prayed in aid by public authorities is the one provided for under s. 40(2), read together with s. 40(3)(a)(i). In essence, under these provisions, information will be absolutely exempt from disclosure under FOIA if: (a) it amounts to personal data, as defined in s. 1 of the Data Protection Act 1998 (“DPA”) and (b) its disclosure would contravene one or more of the data protection principles provided for under schedule 1 to the DPA. In practice, it can be very difficult to apply this exemption, particularly where the information in issue may comprise personal data relating to a number of different individuals. It was precisely this issue which the Tribunal had to tackle in the recent case of Bryce v IC & Cambridgeshire Constabulary (EA/2009/0083). In Bryce, a request had been made by Ms Bryce for disclosure of a police investigation report. The report addressed concerns which had been raised by Ms Bryce and others about the way in which the Cambridgeshire Constabulary had investigated the death of Ms Bryce’s sister, who had been killed by her husband. The Tribunal held that the report contained a multiplicity of different types of personal data including: Ms Bryce’s personal data; the husband’s personal data; personal data relating to the husband’s family; the personal data of witnesses; personal data relating to the deceased’s family; and personal data relating to officers who had conducted the investigation. Apart from Ms Bryce’s own personal data, which was exempt from disclosure under s. 40(1) FOIA, the Tribunal approached the question of how the s. 40(2) exemption applied to the remaining data by conducting a discrete analytical exercise in respect of each type of data. It is clear from the Tribunal’s analysis that it was of the view that very different considerations applied, for example, in respect of officers’ data as compared with the data relating to the husband’s family. The key implication of this judgment is that a public authority will expose itself to challenge under FOIA if it simply adopts a blanket ‘one size fits all’ approach to information comprising diffuse types of personal data. The judgment is also notable in that it applies the approach to the concept of ‘personal data’ which was approved in Durant v Financial Services Authority, rather than the arguably more liberal approach embodied in the Commissioner’s guidance: ‘Determining What is Personal Data’.
LAW OF CONFIDENCE - THE TRUMP CARD IN MATRIMONIAL PROCEEDINGS
August 3rd, 2010 by Anya Proops
The Court of Appeal has recently handed down an important judgment on the application of the law of confidence in matrimonial proceedings: Tchenguiz & Ors v Imerman [2010] EWCA Civ 908. The background to the case was that an application for ancillary relief had been made by Mrs Tchenguiz Imerman (TI) against her husband, Mr Imerman. Fearing that Mr Imerman may seek to conceal the nature and extent of his assets in the context of the ancillary relief proceedings, one of TI’s brothers, possibly with the help of others, accessed a computer server in an office which Mr Imerman shared with TI’s brothers and then copied information and documents which Mr Imerman had placed on that server relating to his assets. In order to prevent TI relying on the information and the documents in the ancillary relief proceedings, Mr Imerman sought to restrain the defendants from communicating the information and documents which they had obtained to any third party (including TI and her lawyers). He also sought delivery up of all copies of the documents. Eady J granted the orders sought by Mr Imerman. The defendants appealed to the Court of Appeal. The central issue for the Court of Appeal was essentially whether TI should be allowed to use the information and documents in the context of the ancillary relief proceedings, despite the fact that they appeared to have been obtained by the defendants in breach of confidence and, hence, unlawfully. The case was rendered particularly complex as a result of what is commonly known in matrimonial proceedings as the ‘Hildebrande rules’. Historically, these rules have been applied by the courts in matrimonial ancillary relief proceedings so as generally to allow individuals to rely on evidence as to their spouses’ assets notwithstanding that that evidence has been unlawfully obtained.
In summary, the Court of Appeal held as follows:
· the information/documents had been unlawfully obtained by the defendants as they had been obtained in breach of confidence (and, further, in breach of Mr Imerman’s right to privacy);
· it may be that the obtaining of the information/documents had also amounted to: (a) criminal conduct on an application of s. 17 of the Computer Misuse Act 1990; (b) unlawful processing of Mr Imerman’s personal data under s. 4(4) Data Protection Act 1998 (DPA); and, further, (c) a criminal act under s. 55 DPA; although having found that the information/documents were obtained unlawfully in breach of confidence, the Court did not need to reach a concluded view on these issues;
· the question for the Court was whether it should effectively condone the illegal self-help methods adopts by the defendants simply because it was feared that Mr Imerman may behave unlawfully and conceal that which should be disclosed in the ancillary relief proceedings. The answer to that question was: ‘No’ (see para. 107). As the Court suggested: ‘The tort of trespass to chattels has been known to our law since the Middle Ages and the law of confidence for at least 200 years, yet no hint of any defences of the kind now being suggested is to be found anywhere in the books’ (para. 117). Thus, the Hildebrande rules could not be justified on any grounds;
· if there were concerns that an individual may seek dishonestly to conceal assets in the context of ancillary relief proceedings, the correct course would be for the spouse to seek to protect her/his position through lawful means, for example by applying to the court for an anton pillar order.
The judgment is important not least because it highlights the essentially inalienable nature of the common law rights to confidentiality and privacy. There is no doubt that the judgment will be controversial, not least because of concerns that it fails to recognise the significant power imbalance which often obtains between spouses in matrimonial proceedings.
LANDMARK IPT DECISION ON LOCAL AUTHORITY’S USE OF RIPA
August 2nd, 2010 by Robin HopkinsThe Investigatory Powers Tribunal today issued its decision in the first substantive public case on the use of surveillance powers under the Regulation of Investigatory Powers Act 2000.
Poole Borough Council suspected that Jenny Paton and her family may have lied about living in the catchment area of a sought-after primary school in Dorset. It therefore monitored their activity for around 3 weeks in 2008. This included covertly monitoring the movements of family members and their car, as well as examining the contents of their rubbish.
The IPT found that:
(1) investigating a potentially fraudulent school application was not a proper purpose in the sense required by RIPA;
(2) in these circumstances, the Council’s actions were in any event disproportionate, in that they were not necessary to achieve that aim, and
(3) the Council’s actions had breached the family’s rights under Article 8 of the ECHR.
Poole Borough Council has accepted the ruling and apologised to Ms Paton and her family.
DATA PROTECTION IN EUROPE - JUDGMENT IN BAVARIAN BEER
July 2nd, 2010 by Anya ProopsOn 29 June 2010, the European Court of Justice handed down an important judgment on how provisions within EU law which permit access to documents held by EU institutions are to be applied where the documents contain third party personal data – European Commission & United Kingdom v Bavarian Lager (Case C-28/08 P). The case involved an application for disclosure of a document held by the European Commission which recorded discussions on the application of certain beer import restrictions within the UK. A number of individuals were identified by name in the document. The application for disclosure was made by Bavarian Lager under EU Regulation 1049/2001 (the Access Regulation). The Access Regulation is designed to facilitate public access to documents held by EU institutions with a view to increasing their transparency and accountability. Importantly, like FOIA, the Access Regulation is, on its face, motive-blind (i.e. it does not require the applicant to establish a legitimate reason for accessing the information). The Commission provided the requested document, save that it redacted the names of certain individuals identified in the document. The key issue which arose in the case was whether, in deciding whether to release the names of the individuals in question, the Commission had been entitled to take into account whether Bavarian Lager had established that it had legitimate interests in receiving this particular data.
The Court of First Instance (now ‘the General Court’) held that: (a) particularly having regard to the motive blind nature of the Access Regulation, the Commission had erred in taking into account Bavarian Lager’s interests in receiving the information and (b) the names should be disclosed. On appeal by the Commission, the ECJ overturned the CFI’s judgment. In summary, the ECJ reached the following conclusions on the appeal:
(1) the CFI had erred because it had failed to have due regard to the way in which the Access Regulation effectively deferred to provisions contained in other EU legislation, particular Regulation 45/2001 which is specifically concerned with protecting individuals with regard to the processing of their personal data by EU institutions (“the DP Regulation”);
(2) the DP Regulation itself required consideration of the question of whether the applicant had a legitimate interest in receiving the particular personal data;
(3) accordingly, the Commission had not erred when it decided that Bavarian Lager had not established a legitimate interest in receiving the personal data contained in the documents;
(4) the data had been lawfully withheld by the Commission.
11KBW’s Jason Coppel appeared on behalf of the United Kingdom.
PRIVACY ACROSS THE POND
June 25th, 2010 by Anya ProopsOn Thursday, the US Supreme Court unanimously held that a Police Chief did not violate a police officer’s 4th amendment rights by reading personal text messages which the officer had send via a pager provided to him by his employer - see the judgment here. The 4th amendment guarantees a person’s privacy, dignity, and security against arbitrary and invasive governmental acts. The text messages were sent on a pager provided by the officer’s employer, they included a number of sexually explicit messages. The texts were reviewed as part of a process of examining whether officers were using the pagers excessively for personal use. In a judgment which rejected a broad right of privacy for workers, the Supreme Court recognised that interferences with privacy may be justified where there is a reasonable suspicion that rules are being breached by the employee. Notably, the Supreme Court recognised that, in an age of fast-evolving technology, the law of privacy should develop flexibly rather than through the introduction of broad, rigid rules.
PATIENT INFORMATION - MADE FOR SHARING?
June 17th, 2010 by Timothy Pitt-Payne QCSharing patient information in the NHS has proved highly controversial. We posted about this subject here a while back. Now there’s a new report from UCL researchers, suggesting that two key recent NHS IT programmes for handling patient information have so far delivered only modest benefits. A short summary appears here, with links to the executive summary and the full report. A research paper based on the findings has been published in the BMJ.
The three year UCL project looked at the Summary Care Record (SCR) and at Healthspace, both introduced as part of the NHS National Programme for IT.
The SCR is an electronic summary of key health data, taken from GP records and other sources, and available to a range of NHS staff. According to the UCL report, very few people had chosen to opt out; less than 1% of those who had been sent the relevant information. But SCRs were not yet widely used; even where available, they were only accessed in 21% of clinical encounters. So far there was little evidence that SCRs improved patient safety or reduced consultation length or hospital admissions.
HealthSpace is a tool that allows patients to update their own health information, plan healthcare appointments, and contact their GP via a secure internet connection. So far, take up has been very low. According to the UCL study only one person in 200 who was invited to open a basic account did so, and only one in 1000 opened an advanced account.
The report’s lead author, Professor Greenhalgh, is quoted as saying: “This reseach shows that the significant benefits anticipated for these programmes have, by and large, yet to be realised - and that they may be acheived only at high cost and enormous effort … It serves to demonstrate the wider dilemma of national databases: that scaling things up doesn’t necessarily make them more efficient or effective.”
PRIVACY IN THE DOCK
June 10th, 2010 by Anya ProopsIt is a fundamental rule of our justice system that it should be administered in public (Attorney General v Leveller Magazine Ltd [1979] AC 440). In the criminal justice system this rule generally operates so as to require individuals who are charged with an offence to give their home address in open court. But what is the position if the accused claim that confirming their address in open court will expose them and their family to attack? Are they entitled to demand that their address be given in camera? This is an issue which was recently posed in the case of R(Harper) & Anor v Aldershot Magistrates Court & Anor [2010] EWHC 1319 Admin. In this case, two senior police officers who had been charged with the offence of misconduct in public office sought to judicially review a ruling of the Magistrates Court that they must each confirm their address in open court. The officers, who had been suspended from duty, claimed that the ruling was unlawful because there was a real and genuine fear of reprisal and the safety of the officers and their family was at risk. The Court rejected the claim on the basis that any fears which the officers may have had were unreasonable, particularly because publication of their address would not in fact enhance any risk that they faced (notably, the addresses could simply have been accessed through the electoral roll). In reaching the conclusion that the ruling was lawful, the Court took into account not least Lord Diplock’s judgment in Belfast Telegraph Newspaper Limited’s Application [1997] NI QBD 309. In that case, Lord Diplock held that information may be withheld in criminal proceedings on the basis that this was necessary to serve the public interest in the administration of justice but that it could not be withheld simply in the interest of protecting ‘the private welfare of those caught up in that administration’ (at page 314F). The Court in Harper noted that there might be circumstances in which the individual’s well-being may overlap with the administration of justice such that the information can be withheld in the public interest. However, these were not the facts of the instant case. Notably, there is no analysis in the judgment of the application of Article 8 ECHR. Nor further is there any explicit consideration of the rights of the families of the accused. Query what role these considerations would have played if the facts of Harper had been less clear-cut.
FROM BIG BROTHER SOCIETY TO BRAVE NEW WORLD?
May 12th, 2010 by Timothy Pitt-Payne QCThe Conservative/Lib Dem coalition agreements are available here. Under the heading “Civil Liberties” there are a number of points that should interest readers of this blog. These include:
* the scrapping of the ID cards scheme, the National Identity Register, the next generation of biometric passports and the Contact Point database;
* outlawing the fingerprinting of children at school without parental permission;
* extending FOIA to provide greater transparency;
* adopting the Scottish model for the DNA database;
* further regulation of CCTV; and
* ending the storage of internet and email records without good reason.
Taken together these suggest that information law issues will continue to be centre stage in political terms.
GOOGLE IN EUROPE - PRIVACY CONTROVERSIES CONTINUE
May 2nd, 2010 by Anya ProopsIn March 2010, we posted on a New York Times article which explored how Google’s quest to increase access to information via the internet appeared to be clashing with European privacy laws. The article followed in the wake of the prosecution in Italy of Google executives for violating Italian privacy laws after Google allowed a user to post a video showing an autistic boy being bullied. More recently, further controversies over Google’s record on privacy rights have emerged. First, privacy regulators from a number of different countries, including our own Information Commissioner, Christopher Graham, wrote a joint letter to Google’s chief executive and challenging him to improve protections for users, thereby highlighting concerns that Google is not doing enough to protect the privacy of users – see further this article in the Guardian dated 20 April 2010. Second, last week reports emerged that German regulators had renewed their criticism of Google’s Streetview when it emerged that Google was using the Streetview system to archive information about the location of household wireless networks – see this article in the New York Times dated 29 April 2010. What these developments suggest is that the clash between European social values and the expansion of Google’s techno-commercial empire is likely to continue for some time to come.