PRIVATE EMAILS AND TEXTS SUBJECT TO FOIA

December 15th, 2011 by Robin Hopkins

Following the emergence earlier this year that Department for Education officials had, apparently routinely, used personal email accounts for the conducting of official business, the ICO has considered this issue. It has today issued guidance that many FOI officers and lawyers will find notable, to say the least.

The key points:

  • FOIA applies to official information held in private email accounts when held on behalf of the public authority. So too text messages. This much is obvious from the definition of ‘held’ in s. 3 of FOIA. The question is exactly what this means, and what to do about it.
  • There will be occasions on which, having searched its own systems, the public authority will be expected to ask employees (or contractors etc) to search their personal email accounts/text messages for information described in a FOIA request.
  • The ICO expects such occasions to be ‘rare’. I think this means that the ICO will not expect the public authority to do so simply because a requester asks it to; something more will be required.
  • What is that ‘something more’? The ICO recommends public authorities look out for ‘relevant factors’ which may trigger the duty to ask.
  • These factors include the nature, wording and subject matter of the request.
  • They also include “how the issues to which the request relates have been handled within the public authority”. This may be another way of asking: is the public authority aware that this sort of thing has been going on?
  • Another relevant factor is “by whom and to whom the information was sent and in what capacity, e.g. public servant or political party member”. This is often a blurred line, one imagines. Not sure how this could be scrutinised (other than hacking into private systems, which is not nice, not fashionable and not legal).
  • Public authorities should establish procedures for dealing with such situations.
  • They should keep records of any private email account/text message searches they have requested.
  • Public authorities should remind staff that, where a request for information to which the requester would be entitled has been made, it is a criminal offence to erase or conceal that information with the intention of preventing disclosure (see s. 77 of FOIA).
  • ‘Concealment’ would include denying that anything of an ‘official capacity’ nature is (or, at the time of the request, was) in one’s private email inbox or text message folder.
  • Public authorities should tell their employees not to use private channels for official business in the first place.

Panopticon understands from some of its friends in the media that requests aiming at exactly this sort of information were fired off this morning (or earlier this week, in anticipation of the new ICO line).

Meanwhile, a decision on the complaint against the Department for Education is in the pipeline.

Panopticon will be keeping its Benthamite eye on how these matters unfold.

Robin Hopkins

Tags: , , , ,
Posted in INFORMATION LAW | Comments Off

Launch of Information Law Reports

July 19th, 2011 by Rachel Kamm

 The Information Law Reports launched on 14 July 2011, with the following announcement on 11KBW’s website:

Leading chambers 11KBW and legal publisher Justis Publishing are collaborating in a first for both organisations: the creation of a new series of law reports available both in bound volumes from next week and on the established Justis platform from this morning.

Information law is ever more important, seeking to balance the “right to know” and the “right to be left alone” in an age of massive databases and global information flows. We all want to protect our own privacy; but we also want to understand how public authorities make decisions and spend our money. This new series will help professionals grapple with these issues.

Timothy Pitt-Payne QC, a barrister at 11KBW and one of the editors of the new reports, said: “There is a growing case-law, generated by the specialist Information Rights Tribunal and the higher courts. Navigating this material and quickly identifying the most important recent developments is increasingly challenging. The Information Law Reports seek to meet this need, bringing together all the most important cases in a single source. 11KBW are delighted to be working with Justis on this much-needed project.

Masoud Gerami, Managing Director of Justis Publishing, said: “We have had a number of significant milestones in our 25-year history, mostly associated with innovation and developments which have changed legal information dissemination for the better. I am delighted that another milestone has been added to our list of achievements by producing the new series of Information Law Reports in association with 11KBW, the leaders in this increasingly important field. I believe that the complementary nature of the expertise from the partners in this project is the ideal requirement for any successful product or service, and we look forward to a continued relationship with 11KBW.”

He added: “This is also the first time that Justis Publishing has produced a product in hard copy, and we are very excited about the possibilities that the combination of hard copy and online versions will present.

For further information, please call +44 (0)20 7267 8989 or email press@justis.com.

Tags: , , , , , , , , , , ,
Posted in INFORMATION LAW | Comments Off

THE EUROPEAN COOKIE MONSTER

July 19th, 2011 by Rachel Kamm

Here’s an update to my post of 5 June about the ICO’s guidance on obtaining the consent of users before ‘cookies’ can be placed on machines. The European Data Protection Supervisor, Peter Hustinx, gave a public lecture on 7 July 2011 on the privacy implications of online behavioural advertising. This included discussion of ‘cookies’. He commented that browser providers have developed opt-out solutions, whereas the ideal is to have privacy-by-default unless individual preferences are set using a “privacy wizard”. The lecture also suggested that recent speeches made by the European Commission’s Vice President, Neelie Kroes, raise doubts about the Commission’s position on the e-Privacy Directive’s requirements; the Commission has expressed support for initiatives which Mr Hustinx considers are in fact non-compliant.

Tags: ,
Posted in Uncategorized | Comments Off

SOME REFLECTIONS ON SUPER-INJUNCTIONS AND PARALLEL UNIVERSES

May 23rd, 2011 by Robin Hopkins

The Committee on Super-injunctions, established in April 2010 in the wake of the Trafigura and Terry cases, was made up largely of judges and practising lawyers, but also included legal representatives from the Guardian and Trinity Mirror. Nonetheless, the media have not received its report, “Super-Injunctions, Anonymised Injunctions and Open Justice” warmly. The Independent has commented on the “absurdity” of the current situation, while the Daily Mail called the report “a chilling exercise in judicial activism, self-delusion and – most worrying – a constitutional attack on Parliamentary sovereignty and free speech”.

Tensions have escalated since the publication of the report on Friday, and reached a head today. Footballer “CTB” (as his injunction order refers to him) has obtained a disclosure order requiring Twitter (based in California) to divulge the names of the “persons unknown” (resident, of course, in jurisdictions unknown) who have referred to his identity in their tweets. Scotland’s Sunday Herald flouted the order of the High Court of England and Wales in publishing the player’s name. This has apparently prompted calls for the Attorney-General to take action against the journalist responsible, a course of action which in the view of SNP leader Alex Salmond would be unwise. Mr Salmond neatly articulated the jurisdictional (and devolutionary) difficulties of this issue, by arguing on this morning’s Today programme that anyone wishing an injunction to be effective in Scotland should apply to a court in Scotland. Fred Goodwin was “outed” in the Lords last week, and John Hemming MP has moments ago outed CTB himself.

And so it goes on. It has been announced in the past few minutes that a joint parliamentary committee will be established to consider privacy law reform. Against this backdrop, I set out a few (rapidly evolving) thoughts on four of the thorny issues raised by the report, the accompanying press conference given by Lords Neuberger and Judge and the general aftermath. On each of these four issues, my sense at the moment is that matters may develop in favour of openness rather than privacy – despite the failure this afternoon to overturn CTB’s injunction.

First though, a synopsis of the report’s thrust and limited terms of reference.

The report: procedure, not substance

As regards its subject matter, the committee distinguished between super-injunctions (where the order states that neither the named applicant’s private information nor the existence of the order can be published), anonymous injunctions (the order does not name the applicant or parties involved) and “so-called hyper-injunctions” (the order prohibits individuals from discussing matters with third parties).

It sees no legal barrier to any of these types of injunction taking effect. It thinks all such injunctions are very rare, but recommends that statistics be maintained on the granting of injunctions so that their prevalence can be monitored.

The report proposes a tidying up of the procedure for obtaining these injunctions. The committee gives a firm “no” to the use of specialist judges to hear these kinds of application. It says that Practice Guidance should be issued, which should include model orders and the process for expediting appeals against the granting of such orders.

Overall, however, the report is not about substantive law reform: that is a matter for parliament. In fact, it is now an urgent matter for parliament. In my view, some of the key issues to be considered are as follows.

Issue 1: media presence at injunction hearings

Parliament’s committee will, like the reporting committee, take Article 10 ECHR very seriously (for a very recent example of Article 10 affecting the interpretation of FOIA, see my post here). The report observes that “it will be a very rare case where advance notice of such an application to media organisations, which are likely to be affected by any order, can be justifiably withheld”. It proposes that the press be allowed to attend application hearings – bound of course by confidentiality agreements and non-disclosure orders. This would allow the media to be properly informed of the matters on which they may not report, and would also equip them to appeal against orders where they deem this appropriate.

This is doubtless a step in the right direction in terms of Article 10. As the committee recognises, however, there are real practical difficulties with the proposal. First, interim injunction hearings are often so rushed that there is no real prospect of a blanket invitation to the media. Secondly, how does one determine who the “media” are who are allowed to attend such hearings? As Lord Judge put it “we know who you [the media attending the release of the report] are, we’re familiar with you, but someone comes along and says, “I’m from the Argyll and Orkney Express” but how do we know? Do we really expect to have cards issued? Can you imagine the bureaucracy?”.

Part of the problem is this: either anyone with an interest in reporting the matter is allowed to attend, or only the “establishment” (this is my term, but seems the sentiment reflected in Lord Judge’s rhetorical question) is allowed, even though the aim is to make everyone subject to the order, establishment or not. The former option exponentially increases the risk of leaks and disclosures on Twitter. The latter option draws distinctions which are impracticable and problematic in terms of Article 10 and fairness in a broader sense. My view is that the former option will prevail, and that we will see a very broad net of media attendees at future super-injunction hearings. This in itself might serve as a deterrent to making such applications in the first place.

Issue 2: Twitter and other “modern technology”

There has been a flexing of judicial muscle as regards Twitter. Though he described “modern technology” as “totally out of control”, Lord Judge took hope from efforts to combat online child pornography. He said this:

“Are were really going to say that someone who has a true claim of privacy, perfect well made, which the media and newspapers can’t report, has to be at the mercy of someone using modern technology? At the moment that may seem to be the case but I am not giving up on the possibility that people who in effect peddle lies about others by using modern technology may one day be brought under control, maybe through damages – very substantial damages – maybe even through injunctions to prevent the peddling of lies”.

The language of “peddling lies” is curious. That is a concept belonging to libel law, rather than privacy. Those seeking super-injunctions tend not to say the underlying material consists of lies, but simply that it is private. The damage lies not in the falsity of the material, but in the fact that people talk about it.

This distinction is important in at least two respects. First, if an applicant wants to prevent people talking about the matter, but many people have already done so (for example, on Twitter), then his or her case for an ongoing injunction is weakened; it begins to look more a matter for damages than for injunctive relief.

Secondly, foreign jurisdictions may be even less cooperative about orders from England and Wales protecting private (but often true) material than they often are about similar orders concerning libel (see for example the United States’ Speech Act of 2010). Countries co-operate against copyright infringement and child pornography because they think it important to do so in a civilised society. They may be less inclined to think that about, say, Andrew Marr’s sex life. In other words, there is a good chance that legal action, whether for injunctive relief or damages, taken in England and Wales against foreign reporters may simply be impotent.

Contrast this likely impotence with measures for after illegal file-sharers through their internet service providers, proposed under the UK’s Digital Economy Act 2010 (on which, see my discussion here in advance of BT’s judicial review of that Act): unlike Twitter, ISPs often have a commercial footing in the UK which they are concerned to protect; international (including EU) legal protection is far more advanced than for copyright than for privacy; even under the Digital Economy Act’s proposal, infringing users are to be given a number of warnings before their details are handed over to those seeking damages, unlike the old Norwich Pharmacal model being utilised in the footballer’s action against Twitter.

Issue 3: granting and maintaining super-injunctions

The report emphasises that super-injunctions are not to be permanent, but should be granted only for very short periods of time. If anyone notices a super-injunction being granted with no return date, they should complain about it, as was done in the Zac Goldsmith/Jemima Kahn case. So far so good: allowing the media to be present for application hearings would help on this front, as would minimising the time between the interim injunction and the return date.

As regards the grounds on which a super-injunction should be granted, the report’s mood music suggests that some may have been granted too readily. It stresses that “in seeking to minimise derogations from the principle of open justice, the committee envisaged that super-injunctions will only be granted in very limited circumstances”. Other than to emphasise exceptionality and Article 10, there is probably little to be said (either by the committee or by parliament) in terms of guidance to judges on granting such injunctions – this is, and will remain, largely a case-by-case business.

The thorny issue of the moment, however, is this: if a matter has been very widely disclosed on Twitter and other websites, is it fair to maintain an injunction the effect of which is to prevent the establishment media from reporting it? If, as I suggested above, the damage comes from people knowing about what you have done, hasn’t the horse bolted in such circumstances? If people wish to reject your job application or shun you at parties, they will probably do so regardless of how they learnt about your indiscretions. Part of what seemed to concern David Cameron in his ITV interview this morning is this prejudicial effect on the establishment as compared with “newer” media, which commentators have described over the weekend as existing in “parallel universes”.

Lords Neuberger and Judge both suggested on Friday that, to the extent that there are differential effects on newspapers as compared to Twitter, that difference is justified. To a degree, they are correct: rightly or wrongly, we tend to expect more noble and sophisticated ethics from mature brands of journalism than we do from little-known blogs, and applicants no doubt suffer incremental damage from the public seeing matters reported in print headlines or on major news websites which they would otherwise have had to seek out on Twitter. There must come a point, however, where the media’s interests (including under Article 10) outweigh this combination of incremental harm and ethical expectation. That too is probably a matter for case-by-case determination, but it is something parliament’s joint committee will surely wish to consider. It may well side with the media over the privacy-seeking individual if forced to give guidance on a hypothetical case.

Issue 4: parliamentary privilege and contempt of court

The constitutional stakes are highest in this strand of the current debate.

The committee was very clear that no super-injunction or any other court order could conceivably restrict or prohibit parliamentary debate or proceedings. It also recognised that, in defamation proceedings, the reproduction of extracts from Hansard attracts attaches to, while honest, fair and accurate reporting of parliamentary proceedings attracts qualified privilege. It is unclear, however, whether the same would apply in contempt proceedings. In fact, “the law relating to Contempt of Court when it comes to reporting what is said in Parliament is astonishingly unclear”, as Lord Neuberger put it. The extent to which parliamentary privilege attaches to conversations between an MP and his or her constituents (some of whom may of course be journalists) is also unclear.

Lord Judge, however, explicitly disapproved of members of either house using parliamentary privilege to circumvent super-injunctions:

“But you do need to think, do you not, whether it’s a good idea for our lawmakers, to be in effect to be flouting a court order just because they disagree with the order or for that matter because they disagree with the law of privacy which parliament has created”.

John Hemming MP clearly takes a different view.

Again, there is much of interest in Lord Judge’s remark, such as the reference to parliament having created the law of privacy, and the implicit distinction between parliament flouting a court order and an individual member doing so. It would be very surprising, however, if parliament’s joint committee were to propose a constrained version of parliamentary privilege. If that committee is robust in defence of the houses’ privileges, the door may be opened to future “outings”, such as that of Fred Goodwin or CTB. Mindful of this, the reporting committee proposed a softer form of control than the restriction of parliamentary privilege. It suggested that:

“House authorities should consider the feasibility of a streamlined system for answering sub judice queries from the Speakers’ offices. Such a communication system will require the creation of a secure database containing details of super-injunctions and anonymised injunctions held by Her Majesty’s Courts and Tribunals Service, which could be easily searchable following any query from the House authorities”.

Parliament’s committee may well endorse this as the approach best suited to preserving a balance of respect (as opposed to contempt) between parliament, the courts, the media and individuals fearful of their privacy being overridden on political platforms.

On this issue, as with so much of the UK’s constitution, the answer may turn out to be a tense but workable network of understandings, rather than hard law. Perhaps this would calm matters only temporarily. But it might also provide breathing room for the public to evolve our expectations about privacy and freedom in both establishment and “modern technology” media, without bringing the latter under any undue “control”.

Robin Hopkins

Tags: , , , , , ,
Posted in Uncategorized | Comments Off

TRIBUNAL ORDERS DISCLOSURE OF POLICING CAMERA LOCATIONS

April 16th, 2011 by Robin Hopkins

Those interested in information law in the context of policing will wish to note the very recent Tribunal decision in Mathieson v IC and Devon and Cornwall Constabulary (EA/2010/0174).

Automated Number Plate Recognition (ANPR) cameras are strategic policing tools used by a number of forces.  Mr Mathieson asked Devon and Cornwall Constabulary to provide him with the locations of its ANPR cameras. It refused, relying on the prejudice-based qualified exemptions at s. 31(1)(a) (prevention or detection of crime) and s. 31(1)(b) (apprehension or prosecution of offenders). The Commissioner considered that the public interest arguments – though finely balanced – favoured the maintenance of these exemptions.

The Tribunal agreed that these exemptions were engaged, but disagreed on the public interest, and ordered disclosure.  It considered that the Commissioner had overlooked a number of relevant factors.

First, this is a privacy issue: ANPR cameras capture vast amounts of personal data; there is therefore substantial public interest in scrutiny of their use (further illustrated by parliamentary questions on the subject). Secondly, location data alone would not undermine policing – information on factors such as policing tactics, data and analytical capabilities were equally necessary.

Furthermore, the Constabulary had put forward weak arguments: the Tribunal was unimpressed by its attempt to rely on reports by other police forces on their use of ANPR cameras, and by its focus on issues such as the potential for vandalism – which is not sufficiently connected to the interests protected by ss. 31(1)(a) and (b).

Tags: , , ,
Posted in INFORMATION LAW | Comments Off

THE EVOLVING BATTLE AGAINST ILLEGAL FILE-SHARING: SOME DATA PROTECTION OBSERVATIONS

March 3rd, 2011 by Robin Hopkins

Late last year, Julian Wilson blogged about the Digital Economy Act 2010, and the judicial review challenge to its compliance with EU law – including data protection law. With those proceedings drawing near, I have written a thought piece for Practical Law on some of the related issues, available here.

Tags: ,
Posted in INFORMATION LAW | Comments Off

SCOTTISH GOVERNMENT ISSUES PRIVACY GUIDANCE

January 5th, 2011 by Robin Hopkins

The Scottish Government has published its guidance document on Identity Management and Privacy Principles. The guidance is aimed at both public sector policy makers and with those involved in devising or operating systems for proving or recording identity. Key principles include:

  • For services which are used frequently and for which identification is needed, users should be required to register only once. Thereafter, unless there is a statutory requirement to prove identity, a person should generally be able to access the service by authenticating themselves using a token (such as a bus pass or library card) that proves their entitlement without revealing personal information. In other circumstances, a user name and a password may be required.
  • A Privacy Impact Assessment (PIA) or proportionate equivalent should be conducted and published prior to the implementation of a project which involves the collection of personal information.
  • Where a public body has a contract with the private sector or the third sector, the contractor must be contractually bound to adhere to best practice as outlined in the guidance.
  • The creation of centralised databases of personal information is to be avoided.
  • If a public service organisation needs to link personal information from different systems and databases (internally or between organisations), it should avoid sharing persistent identifiers. Instead, other mechanisms – such as matching – should be considered.

Tags: , , ,
Posted in INFORMATION LAW | Comments Off

LOCAL AUTHORITY ORDERED TO RETAIN COURT JUDGMENT IN INDIVIDUAL’S FILE

January 5th, 2011 by Robin Hopkins

The Administrative Court’s (as yet unreported) judgment in R (on the application of N) v a Local Authority in December 2010 saw the quashing of a decision to withdraw a licence to be in contact with children. The case concerned the familiar public law principles of judicial review and human rights, but from an information law perspective, the point of interests is this: in reaching its decision to withdraw the individual’s licence, the local authority compiled information on that individual, including the allegations made against him (namely, that he was a paedophile with a history of sexual offences) as well as its meetings with the individual. Ockleton J not only overturned the local authority’s decision, but also directed it to keep a copy of the judgment with its records relating to the matter, so that its records on this individual were full and accurate. Otherwise, he ruled, the local authority’s file on this individual was potentially misleading to anyone subsequently accessing it.

Tags: , ,
Posted in INFORMATION LAW | Comments Off

DISCLOSING DATA FOR PURPOSES OF MEDICAL RESEARCH – NEW ECHR JUDGMENT

November 23rd, 2010 by Anya Proops

Many readers of this blog will be familiar with the stringent protections which the Data Protection Act 1998 (DPA) affords in respect of personal health data (see further the definition of ‘sensitive personal data’ in s. 2 DPA). Thus, for example, if a data controller wishes to avoid contravening the first data protection principle (the fair and lawful processing principle) as and when it is processing health data, it must ensure that: (a) the particular processing is fair and lawful; (b) that it meets one of the conditions provided for in schedule 2 to the DPA and (c) that it meets one of the very narrowly drawn conditions provided for in schedule 3 to the DPA. If the processing is intended to serve the interests of medical research, the data controller will doubtless wish to look in particular at the condition provided for in paragraph 8 of schedule 3. That condition stipulates that the processing must be ‘necessary for medical purposes’ (which includes the purposes of medical research) and be undertaken either be ‘a health processional’ or ‘a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if the person were a health professional’. Of course, the principle which underpins this particular condition is that it is very much in the public interest that, subject to the test of necessity, health data be shared by medical researchers. A recent judgment of the European Court of Human Rights (ECHR) has highlighted the importance of this particular public interest: Gillberg v Sweden (application no. 41723/06).

In Gillberg, two researchers requested access to health data which had been accumulated by Professor Gillberg as part of a long-term project on hypheractivity and attention deficit disorders in children which he was running out of the University of Gothenburg in Sweden. The University refused access on the basis that assurances had been given to the parents of the children and later the children themselves concerning the confidentiality of the data. The researchers challenged the University’s decision relying on Sweden’s long-established and generous rules on access to official documents. The Swedish administrative court upheld the researchers’ claim and ordered that the University disclose the data to them, subject to the imposition of strict conditions on their handling and use of the data. In reaching the conclusion that the data should be disclosed to the researchers, the Swedish court took into account not least the public interest in ensuring the independent and critical evaluation of medical research in the important field of neuropsychiatry. The data was subsequently destroyed by certain of Professor Gillberg’s colleagues. Thereafter, Professor Gillberg was convicted of misuse of office by the Swedish Parliamentary Ombudsman. Having lost his appeals against conviction in the national courts, Professor Gillberg took his case to the ECHR claiming that the conviction breached his Article 8 and 10 rights, particularly in view of the assurances of confidentiality which he had given to the data subjects and their parents. The ECHR dismissed Professor Gillberg’s appeal. It found that, even if the conviction interfered with Professor Gillberg’s Article 8 right to privacy (i.e. his right to privacy in the context of his professional affairs), that interference was justified in the circumstances. It also found that there was no interference with Professor Gillberg’s Article 10 right to freedom of expression as he was convicted not for giving assurances of confidentiality but rather because he misused his office in response to the judgments of the court.

The ECHR’s judgment is interesting not least because it confirms that, at least for the purposes of human rights jurisprudence, the fact that promises of confidentiality have been given to individual patients/research subjects does not create an automatic bar on disclosures which may breach those promises, particularly where the disclosures serve important public interests such as the interests in protecting the integrity and progress of medical research. Query whether the same result would have obtained on an application of the principles embodied in the DPA, particularly in view of the relatively permissive approach to disclosures for the purposes of medical research contained in paragraph 8 of schedule 3.

Tags: , , ,
Posted in Uncategorized | Comments Off

ICO SIGNS UNDERTAKING WITH GOOGLE AND DEFENDS ITS STANCE

November 22nd, 2010 by Robin Hopkins

I reported in a recent post that the Information Commissioner had instructed Google to sign an undertaking aimed at any repeat of the breaches of the Data Protection Act 1998 committed during Google’s information-gathering for its Street View feature. That undetaking has now been signed, and a copy can be viewed here. It requires Google engineers to maintain a “privacy design document” for each new Google project prior to launch. It provides for further training and data protection awareness for Google engineers and other employees. The undertaking also assures the deletion of all personal data which had been gathered unlawfully, and provides for the Commissioner to audit Google’s revamped data protection procedures nine months from now. Interestingly, the undertaking applies to Google’s global activities and not just its UK ones.

The ICO has come under fire for being soft on Google. The Commissioner, Christopher Graham, has defended his stance, including in an interview with the Daily Telegraph which can be found here. In that interview, the Commissioner remarks that “a lot of people out there want somebody – probably not me – to be the privacy tsar. But that’s not what the Information Commissioner is”. Recent indications suggest, however, that the ICO could potentially take on a “privacy tsar” role – see the recommendations from its recent surveillance report, summarised here.

Tags: , ,
Posted in INFORMATION LAW | Comments Off

« Older Entries