As part of our provision of tailored in house training, we have to read OSC inspection reports. The following is a list of common mistakes highlighted by the OSC. They are not attributable to any particular organisation.
FORMS
Use of out of date forms
No Unique Reference Number (URN)
Not amending forms so that only those grounds are present which are available to the public authority e.g. councils – preventing or detecting crime
Pre completed forms
Use of cut and paste in boxes/repetitive narrative
AUTHORISATION PROCESS
Rubber stamping – no real thought given to authorisation
Necessity, proportionality and collateral intrusion not fully understood/considered by investigators and authorisers
Likelihood of obtaining Confidential Information not fully considered
Some ‘open source’ internet research is being conducted which may actually meet the criteria of Directed Surveillance and therefore require authorisation
Confusion re: reviews and renewals
Lack of understanding of when a person is a CHIS
Two many Authorising Officers
Authorising Officers are not making adequate provision for destruction of product that is collateral intrusion or of no value to the operation
Several authorities are pooling resources but then not obtaining authorisations and keeping records in relation to a proper designated authority
Confusion about interference with property powers under Police Act 1997
NB councils cannot do this
More robust management and quality assurance procedures required
RECORD KEEPING
Central records not compliant with the Code of Practice
Inadequate monitoring, recording and audit of surveillance equipment
Inadequate handling and storage of surveillance product/evidence
POLICIES AND PROCEDURE DOCUMENTS
Inadequate/no RIPA policy
In adequate guidance document (or out of date)
No CCTV protocol/procedure
OSC may wish to visit your CCTV control room
TRAINING AND AWARENESS
Inadequate training
Lack of regular training/refresher trainer
Inadequate record of those who have been trained
OSC may ask to see recent training materials
If you are considering refresher training for RIPA investigators and authorisers, please see our full program of RIPA Courses and our online webinars. We can also deliver tailored in house training at your premises.
Ever since the changes to the council surveillance regime, which came into force on 1st November 2012, the OSC has taken an interest in ensuring councils do not authorise surveillance under RIPA for “minor offences.” In addition they have been keen to ensure that council’s have an agreed protocol and procedure for presenting authorisation applications to the Magistrates’ Courts. Finally where surveillance needs to be done outside the scope of RIPA then a Non RIPA authorisation policy should be implemented and followed.
Do your RIPA documents need revision? Avoid re inventing the wheel! Our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Over 200 different organisations have bought this document (available on CD as well).
This is a new qualification for those who work with Data Protection and privacy issues on a day-to-day basis. With an emphasis on practical DP issues and looking ahead to the proposed EU Data Protection Regulation, we are confident that this certificate will become the qualification of choice for those new to Data Protection as well as experienced practitioners who wish to have their expertise recognised through a formal qualification.
The course syllabus has been designed in consultation with an independent exam board of well-known data protection experts from the public and the private sector in the UK and Europe. It is intended to give candidates a balanced view and understanding of data protection law and everything they need to know to manage the Data Protection Life Cycle. Candidates will also gain a head start in understanding and implementing the proposed EU Data Protection Regulation (expected to be finalised in 2015).
WHY THIS COURSE IS DIFFERENT
Emphasis on practical application of DP law
Teaches practical skills to manage the DP lifecycle including
DP Audits and Privacy Impact Assessments
Online resource lab with videos, quizzes and additional resources
Choice of online seminars in addition to face to face learning
Assessments testing practical knowledge not rote learning
Our expert speakers will share their practical experience gained through years of helping organisations comply with their DP obligations. This, together with exclusive access to our online resource lab, will mean that candidates will not only be in a position to pass the assessments but to learn valuable skills which they will be able to apply in their workplace for years to come.
The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by some online training sessions and a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.
This new course builds on Act Now’s reputation for delivering practical training at an affordable price. We were the first company in the UK to launch a dedicated Freedom of Information qualification for the Scottish public sector. The Act Now Practitioner Certificate in Freedom of Information (Scotland) is endorsed by the Centre for FOI. Professor Kevin Dunion is Executive Director of the Centre. He was previously the Scottish Information Commissioner.
Act Now Training will continue to deliver the BCS Certificate in Data Protection of which it is one of the leading providers. This new course widens the choice for DP practitioners and advisers. Commenting on the launch, Paul Simpkins (Director of Act Now Training) said:
“I am pleased be able to launch this new practical DP qualification which will also prepare delegates for the big changes in the future in the shape of the proposed EU Data Protection Regulation. Act Now will continue to watch developments in Europe with a view to updating the course syllabus. In time we hope to establish this qualification’s reputation throughout Europe.”
To learn more about this new qualification please see our website or download the flyer.
In December 2013 a group legal action was settled against the London Borough of Islington following breaches of the Data Protection Act 1998 and the Human Rights Act 1998. Anna Thwaites, partner at Hodge Jones & Allen LLP, and Ruth Brander, counsel from Doughty Street Chambers, acted for the claimants.
Anna explains the background and legal basis for the claims below:
Hodge Jones & Allen LLP & Doughty Street Chambers acted for 14 Claimants in a Group Action against the London Borough of Islington after it leaked their personal data to unauthorised third parties on two separate occasions in 2012.
The First Breach – April 2012
In April 2012, Islington Council sought injunctions against thirteen youths for anti-social behaviour. The injunctions were served on ten of these between 20th and 24th April 2012. On 26th April it became known to the council that personal information regarding residents who had made complaints about anti-social behaviour had been disclosed to the injunctees. An unredacted spread sheet of Anti-Social Behaviour (ASB) Hotline calls and concierge reports had been included. These contained complaints from 50 individuals. In many cases this included the name, telephone number and estate/street name.
The police retrieved seven out of the ten injunction packs issued to the individuals. The police also warned the injunctees that they should not use the information to contact any witness. In the immediate aftermath, there was a police presence on the Andover Estate and some residents moved from their properties to new locations.
An Information Commissioner’s Office (ICO) investigation was instigated and various recommendations made. The Council agreed to a voluntary inspection rather than a monetary fine.
The Second Breach – 26 June to 14 July 2012
Whilst responding to a Freedom of Information Act request on the website ‘What Do They Know,’ the Council sent an Excel spreadsheet containing details of housing allocations to an organisation called mySociety. The spreadsheet included sensitive personal data on people offered social housing by the Council. This included their name, address, gender, ethnicity, religion, sexuality, relationship status and assessment of housing priority needs. Over 2,400 residents were affected.
Between 26 June and 14 July 2012, there were 7 download requests on this website. It is not possible to know whether any of the people downloading this information accessed the Excel spreadsheets containing this highly personal and sensitive information.
Following this breach there was an ICO investigation and the Council was fined £70,000. This was in addition to the compensation paid to the individual Claimants.
The Claims
We acted for four Claimants affected by the first breach, eight Claimants affected by the second breach and two Claimants affected by both breaches.
The Claimants’ principal claims were for stress, distress and frustration. Some Claimants believed the breach exacerbated existing psychological or psychiatric conditions. Very few Claimants had incurred financial losses arising from the Council’s breaches.
Around April 2013, Letters of Claim were sent to the Council for each Claimant alleging a breach of the Data Protection Act 1998 and Human Rights Act 1998 following a breach of Article 8 ECHR (the right to family and private life).
The parties entered into a limitation standstill agreement in respect of the Human Rights Act claim. Under section 7(5) of the Human Rights Act 1998, a claim must be brought before the end of the period of one year beginning with the date on which the act complained of took place or such longer period as the court considers equitable having regard to all of the circumstances. This was the best way to preserve the Claimants’ position without issuing court proceedings.
At the conclusion of the Council’s Pre-Action Protocol Investigations, they admitted liability in July 2013 for breaches of the Data Protection Act and Article 8 ECHR for all but one of the Claimants. In relation to this Claimant, they advised that the Claimant had been erroneously informed that their data had been breached, when in fact it had not. The Council made Part 36 offers in settlement to all Claimants ranging from £500 to £5,000.
Following settlement negotiations, all claims settled in December 2013 without the need to issue court proceedings. The Claimants were awarded over £43,000 in compensation. The awards ranged from £1,000 to £5,000 depending on how the breach impacted on each Claimant.
As part of the terms of settlement, the Council provided an unreserved apology and provided a detailed letter to each Claimant outlining how the breach happened, how it was discovered, the changes made subsequently and lessons learnt. All of the Claimants’ cases were funded under Conditional Fee Agreements under the pre 1 April 2013 regime.
Thoughts on the Case
It was clear from the outset that there had been a breach of the Data Protection Act, but in order to be entitled to compensation under section 13(2) a Claimant must suffer damage.
The difficulty with these cases is that many of the Claimants were unable to establish a financial loss or a personal injury arising from the Council’s contravention. This issue was not explored in depth during litigation given the Council’s early admission of liability and Part 36 offers in settlement, but the case of Halliday v Creation Consumer Finances [2013] 3 CMLR 4would have assisted the Claimants on this point.
In this case, the Court was prepared to award nominal damages of £750 for distress to reflect a breach of the Data Protection Act, even if there was insufficient evidence to establish a substantial breach. The Court did not penalise the Claimant for being unable to establish a financial loss arising from the breach. The Claimants’ cases are clearly analogous and this case also provided some helpful guidance on the level of compensation the Courts may award depending on the facts of the case.
Another factor which potentially led to early settlement is that Article 8 ECHR does not have the same requirement as the Data Protection Act to establish ‘damage,’ although there is very little case law on the level of damages the Court may award in this type of case. Traditionally compensation for breaches of the Human Rights Act have been less generous than compensation awarded by the domestic courts.
It would also be interesting to see if the Council’s approach would have changed if the claims were brought on the basis of the Data Protection Act alone or outside the time limits for a Human Rights Act claim.
However, these cases clearly demonstrate that a failure to comply with the Data Protection Act 1998 and/ or Article 8 ECHR will be at a Defendant’s peril. This was an extremely costly mistake for the Council, who failed to learn from their mistakes and breached the Data Protection Act 1998/ Article 8 ECHR not only once but twice in as many months.
It is hoped that, following the ICO investigation and litigation, the same mistakes will not be made again. A clear message has been sent to Public Authorities of the potential consequences of failing to comply with their obligations to safeguard citizen’s personal data. This case also shows how Data Controllers can be held accountable for their actions.
Keep up to date with the latest DP developments by attending our workshops and online courses.
The poor quality of the British daytime television schedule means that one who is off sick or “working” from home, often has a choice between BBC Parliament, School for Stars and Heir Hunters. (Yes dear reader, I have done our research!) The latter is a BBC programme focusing on attempts by Probate researchers to find missing or unknown heirs, entitled to deceased persons’ estates.
In the UK, intestacy law states that when someone dies with no will or known family, everything they own passes to the Crown as ownerless property (or ‘Bona Vacantia’). This includes their house, money and personal possessions. Thus finding missing heirs is quite a lucrative business as some of these companies require beneficiaries to enter into an agreement to share up to 40% of the inheritance.
What the BBC programme does not tell the viewer is that Probate researchers (also known as heir searchers and forensic genealogists) often use the Freedom of Information Act 2000 (FOI) to request information to help them trace missing beneficiaries. Over the last few years many councils have seen a substantial increase in the number of these requests. These relate to deaths in the local area where the deceased is believed to have died intestate and with no known next of kin. Councils may have this information because the deceased was in the care of the council or had a public health funeral. The researchers often asks for the deceased’s name, date of birth, date of death, last known address and the estimated value of the estate.
How to deal with such requests? It may be that the requested information has already been passed on to the Government as required by law. In England and Wales, the Bona Vacantia Division (BVD) of the Treasury Solicitor’s Department is responsible for dealing with bona vacantia assetsexcept in the Duchy of Lancaster or the Duchy of Cornwall. Everyday BVD publishes an Unclaimed Asset List setting out unclaimed estates which have been recently referred, but not yet administered, and historic cases which have not yet been claimed by entitled relatives. Included in the list is the deceased name, area of death, date, marital status, place of birth and local authority informant. Sometimes other details will be given (if known) such as spouses name, place of marriage and nationality. The list is updated every working day and newly advertised estates appear at the top of the list.
This list is a good starting point for probate researchers but often and they will rely on FOI requests to councils to try and fill in the blanks and trace missing relatives before their rivals. Many councils have chosen to put a lot of the information on their website; Redbridge, Northampton, Knowsley to name a few. This then allows them to claim the exemption under section 21 of FOI i.e. that the information is reasonably accessible by other means. Often though the researchers want more than the basic information, which is published by the councils online (see later).
Of course where the requested information has been passed on to the BVD (or is about to be passed on) and it will appear on the published BVD list, it is open to the council to claim the exemption under section 22 (information intended for future publication). It does not matter that the council will not be publishing the information itself as long as there is a settled intention to publish it on the part of another (in this case the BVD). Section 22 is a qualified exemption and so subject to the public interest test.
Section can only be claimed if the precise information, which is the subject of the FOI request, is going to be published by BVD. In a Commissioner decision from 2007 involving the Rent Service(TRS),the complainant requested to be advised as to the then current figures for local reference rents in a specified area in the UK. TRS declined to release the information relying on section 22 stating that the figures would be contained in an annual valuation report to be published at a later date and that the public interest in maintaining the exemption outweighed the public interest in disclosing the information. The Commissioner found that section 22 did not apply as the figures requested would not be published in the valuation report.
Where the information requested by probate researchers is not published, many councils have claimed the exemption in section 31 arguing that disclosure would prejudice the prevention of crime. Indeed BVD have themselves claimed this exemption to withhold the value of the estates they have processed arguing that “disclosure of the exempt information could help enable the commission of fraud”. It is difficult to understand how disclosing the value of a person’s estate would directly lead to a criminal offence being committed. Surely more than a general statement is required in the refusal notice? The Information Commissioner’s Guidance on section 31 states:
“The public authority must be able to demonstrate a causal link between the disclosure and the harm claimed.”
However a 2012 decision of the Information Commissioner seems to lend support for use of section 31 in such cases. The complainant requested details of people for whom Westminster City Council had arranged “paupers” funerals in the last ten years. The Commissioner agreed with the council that section 31 applied and it was not in the public interest to disclose the information.
The Council argued the release of personal details of a deceased individual with no known relatives, and no will, may make the assets of that person vulnerable. It explained that the assets of the deceased need to be secured and disclosure of the information may lead to the commission of offences (e.g. arson, identity theft etc.) and cause loss to the unsecured estates. The Commissioner also placed weight on the fact that Westminster is one of the London boroughs with the most reported identity fraud cases.
Some councils have argued that section 41 (Breach of Confidence) may apply to some of the information requested about the deceased. This can only be the case if the information has come from another party and is highly confidential. Section 41 is unlikely to apply to most requests from probate researchers. For a detailed discussion on access to information about the deceased under FOI, read my article and blog post.
I have not come across a First Tier Tribunal decision on “Heir Hunter requests” and so the exemptions, especially section 31, have yet to be comprehensively explored. For now, it seems that councils can use the range of exceptions discussed above to reduce the burden of FOI requests from probate researchers. Some information should of course be provided to satisfy the nation’s appetite for “quality day time television!”
Act Now Training is pleased to announce that it has won a tender to deliver information rights consultancy services to an executive agency of a UK Government Department.
The Rural Payments Agency (RPA) is an executive agency of Defra, and operates as the single accredited CAP paying agency in England on behalf of Defra and the Devolved Administrations. It delivers £2.3 billion of CAP payments each year to the businesses and organisations which supply our food, maintain our rural economy, cultural heritage and environmental landscapes. In total, it is responsible for over 40 EU CAP schemes, some of which apply across GB and the UK.
RPA is subject to the full range of information access legislation including the Data Protection Act, Freedom of Information Act and the Environmental Information Regulations. Act Now has been tasked with reviewing the RPA’s information rights handling policies and procedures in the light of best practice and legislative developments. By the end of March we will be delivering a report setting out our recommendations.
Paul Simpkins and Tim Turner, well known experts and trainers in this field, will lead this project. Commenting on the award of the contract, Ibrahim Hasan (director of Act Now Training) said:
“I am very pleased that we have won yet another consultancy project for a major government agency. Our services will contribute to the good work already being done in the RPA to ensure that information governance processes and procedures follow industry best practice. ”
This is one of many recent consultancy projects Act Now has undertaken and enhances our reputation as one of the UK’s leading providers of in house training and consultancy in information law and information management. We pride ourselves on having the most well known experts who have all worked in the public sector for many years. We particularly specialise in:
Conducting information management audits
Writing policies, procedures and protocols
Conducting information risk assessments
Providing best practice advice on handling requests for information
Writing reports for senior managers and decision makers
We are also starting to develop an international reputation. In January 2014 we won a contract to deliver data protection consultancy services to the Government of Brunei.
December 2013 marked the 10-year anniversary of one of Data Protection’s most notorious developments, but it came and went without any great fanfare.
It’s not really surprising that the Information Commissioner’s Office (ICO) didn’t issue a press release celebrating the Durant judgment’s birthday, as they have been quietly attempting to erase it from history. The result of a long-running dispute between a former Barclays Bank customer and the now defunct Financial Services Authority, Durant v Financial Services Authority [2003] EWCA Civ 1746 was a significant case. The Court of Appeal judges took a sharp look at the definition of personal data, what kinds of manual files are covered by subject access, and the purposes for which subject access can be used – with controversial results. I happened to speak to a former colleague at the ICO a day after Durant was published, and he described the atmosphere as ‘panic’.
Some of Durant is helpful – the judgement proposes that personal data:
“should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest”.
Those who have worked on Data Protection for a long time will have encountered the view that the mere mention of a person’s name in an email meant that they were entitled to receive it. Durant torpedoed that notion. Other elements remain contentious – the ICO has never agreed with the assertion in paragraph 27 that subject access should not be used “to obtain discovery of documents that may assist him in litigation or complaints against third parties”, The new ICO Subject Access Code rejects this notion altogether, despite the fact that the lower courts have followed the principle every since. However, Durant’s most irksome element – ‘biographical significance’ – has been put in its place by the same court that invented it.
Mr Durant sought data about the FSA’s investigation into his complaints about Barclays, and his lawyers used an expansive interpretation of ‘personal data’ to stake his claim. The FSA’s focus was on Barclays and its practices, which meant that much of the correspondence Durant wanted was about the bank. He also wanted the names of the FSA staff that had dealt with his complaint. Unfortunately, Auld LJ linked the sensible idea of focus to a notion of ‘biographical significance’ test, stating that personal data must be “information that affects [a person’s] privacy, whether in his personal or family life, business or professional capacity”. This was a complicating and potentially unhelpful development. Focus makes sense – an email in which your name is mentioned in passing may well not be about you. But biographical significance is an unnecessary and restrictive innovation.
For example, when looking at a CCTV image with a person in the centre and bystanders in the background, the idea of ‘focus’ allows you to distinguish between the obvious subject of the image and the others. But asking whether the image is biographically significant raises the possibility that a clear picture of a living, identifiable person isn’t actually personal data if it has no private connotations. Is an image of me walking down the street biographically significant? Many have adopted biographical significance as a rule of thumb, a test to apply whenever the question of personal data was raised. In the public sector, it could mean that data about people that wasn’t biographically significant could be disclosed under the Freedom of Information Act 2000 (FOI) because it wasn’t technically ‘personal data’. In the private sector, anything not ‘biographically significant’ could be legally invisible, subject to none of Data Protection’s requirements.
The ICO’s approach to Durant – after the alleged panic subsided – was initially mixed, but for quite a few years it has been consistent. As some sort of riposte to Durant, in 2007 they published technical guidance on the meaning of ‘personal data’ called ‘Determining what is personal data’ – rather than Durant’s narrow, privacy-piercing interpretation. There are few references to Durant anywhere in the ICO’s output, but the technical guidance makes clear that testing ‘biographical significance’ is far from being an automatic or necessary step – it is for borderline cases when context and common sense don’t get you to the answer.
Many data controllers have been tempted to use Durant as a way of shrinking Data Protection down to a comfortable size. Indeed, when considering FOI cases involving personal data, the First Tier Tribunal appears to see the test as an inherent part of the decision, and biographical significance is often a feature of FOISA decisions by the Scottish Information Commissioner. Nevertheless, the ICO’s 2007 interpretation of Durant is logical. LJ Auld himself said that biographical significance was a notion “that may be of assistance” rather than a fundamental key to understanding personal data. Just as important was the balance provided by Buxton LJ, who noted at the end of the judgement that the tests were “a clear guide in borderline cases”. The Durant case was – in effect – about Mr Durant’s case, and didn’t change Data Protection as much as some have suggested.
For confirmation of this, fast-forward to Edem v IC & Financial Services Authority [2014] EWCA Civ 92, a Court of Appeal decision on a different case concerning another unhappy FSA (now the Financial Conduct Authority) complainant published this month. Mr Durant wanted to use Data Protection subject access to obtain his own data, and everything connected with it. Mr Edem wanted to use FOI to find out data about other people – specifically, the names and job titles of the junior staff who had dealt with his complaint. The FSA and Information Commissioner agreed that the data was personal, and that disclosure was unfair. So far, so uncontroversial. A spanner was thrown into the works by the First Tier Tribunal, to which Mr Edem appealed the ICO Decision. Using the biographical significance test, the FTT found that names and job titles were not biographically significant, and the focus of the information sought by Mr Edem was the investigation. The Edem FTT case was like a hall of mirrors, distorting and reflecting Durant to the extent that a type of information Mr Durant couldn’t get from the FSA under DP was now available to Mr Edem under FOI.
An appeal to the Upper Tribunal restored the ICO position, and so Mr Edem went to the Court of Appeal. A few cases – mainly resulting from appeals on FOISA decisions – have gone high enough in the UK court system to challenge Durant, but all skirted Durant itself. The Edem case was different – Durant and biographical significance had to be looked at head-on. The result is good news for common sense and data subjects, but bad for anyone who wants to finagle their way out of an awkward subject access request.
Paragraph 17 of the Edem Court of Appeal case isn’t the death knell for Durant, but it’s a healthy and heavy dose of context:
“The First Tier Tribunal were wrong to apply Auld LJ’s “notions” in this case”.
When trying to work out whether a person’s name is personal data, the Court says that biographical significance is irrelevant. The question is whether the data identifies a living individual, and without any complicating or contradictory factors, the data is all you need. My name is Tim Turner, and while that’s not enough to find the bearded Act Now Trainer on the internet (there are country singers and ice hockey players and the man who played the Invisible Man in TV in the 1950s to sort through), it’s easily enough to locate information about me in any of the places I have worked. The Court of Appeal in Edem wholly endorses the ICO view of biographical significance as an occasional add-on, and uses Buxton LJ’s comments from Durant itself to back up that approach.
If it was wrong to overplay the effect of Durant, it’s equally wrong to overplay Edem. For the public sector, Durant was always blunted by the onset of FOI – if you successfully argued that data wasn’t personal data about the subject access applicant, they could always ask for it under FOI. The new judgment doesn’t give new rights to data subjects or expand Data Protection’s reach. A person who wants to use Data Protection to get access to large amounts of information to which they have some loose or stretched connection will come to grief just as Mr Durant did. But the Edem case does restore logic – data that identifies a person, even in a relatively benign or innocuous way – is personal data. The Eight DP Principles apply. Even when at work and doing mundane professional tasks, the DPA is likely to be engaged. An apparent loophole has not been closed – the Edem case simply confirms that it was a lot smaller than it may have appeared. The ICO approach is vindicated, and both the First Tier Tribunal and bloody-minded data controllers may have to think again.
Tim Turner is one of Act Now’s well-known data protection experts. He will be considering this and other latest Data Protection developments in his forthcoming DP Update workshops . Read more of Tim’s expert analysis on his blog. Readers wanting to see how the Durant case has been applied in previous decisions should read Ezsias v The Welsh Ministers (2007).
Section 1 of the Freedom of Information 2000 (FOI) contains the general right of access to information held by public authorities. But what exactly is “information”? Section 84 defines information as “information recorded in any form.” This includes information held on paper, computer, video, audiotapes as well as that contained in manuscript notes. FOI does not give access to information that is known to the public authority but is not available in some recorded form (see Ingle v Information Commissioner (EA/2007/0023) ).
Mere marks made on documents are also information according to an Information Tribunal decision from 2009 (O Connell v the Information Commissioner and Crown Prosecution Service (EA/2009/0010)). Here the Tribunal considered access to manuscript notes made by a defence barrister, during a criminal trial, on his client’s typed police interview record. The Information Commissioner’s view was that some of the notes, which consisted of asterisks and underlining of words on a document, were not information for the purposes of FOI.
The Tribunal rejected this submission. In its view, however tenuous and potentially misleading the material sought may be, it still constituted information; even if it was only information to the effect that certain marks had been made on certain sheets of paper held by the public authority. The Tribunal did however rule that the requested information was sensitive personal data, disclosure of which would breach the Data Protection Principles. Consequently it was exempt under section 40(2) being third party personal data.
It is an oft-repeated phrase that FOI provides a right of access to information rather than documents. However, a request for a copy of a document will generally be a valid request for all of the information contained within that document (including visual format, design, layout etc). In considering whether the public authority has complied with the request, the question is whether all of the information recorded in the document has been provided. It will not be sufficient to rephrase the document or provide an outline or summary of its contents unless the applicant has specifically expressed a preference for a digest or summary under section 11(1)(c).
In April 2013 the First Tier Tribunal (Information Rights), ruled that images of MPs’ expense claim receipts was information to which the FOI applied (IPSA v Information Commissioner (EA/2012/0242)). The background to the request was that, following the MPs’ expenses scandal, the then newly-formed Independent Parliamentary Standards Authority (IPSA), decided that it would not routinely publish images of the receipts submitted to IPSA by MPs in support of their expenses claims. Only text transcribed from the submitted receipts would be published.
A journalist made an FOI request for the actual receipts submitted by a number of MPs. The question arose as to whether images of those receipts held by IPSA contained “information” within the meaning of section 1 of FOI, which was not captured by the transcription process favoured by IPSA. The Tribunal concluded that the definition of information (in this case) included logos, letterheads, handwriting, manuscript comments, and even the layout and style of the requested documents. These were not disclosed to the requestor as a result of providing a transcription, rather than a copy, of the relevant receipts.
“It is to me also trite to note that the wording on a typical receipt or invoice is only part of what a recipient sees when looking at it. Typically there will be verbal and numerical content to be read and understood, but there will also be visual content to be seen, rather than read, but which may also require to be understood for the recipient to have appreciated the whole of the experience, if I may term it that, communicated by the receipt or invoice.”
In the judge’s view information is more than just the words and figures on a piece of paper. Sometimes the nature of the request will mean that the only way to convey all the information on a document is to disclose the original or at least a copy. He gave the example of Land Registry plans, drawings and photographic evidence of a particular building.
In coming to his decision the judge took note of the Scottish Court of Session decision in Glasgow CC v SIC [2009] CSIH 73 under the Freedom of Information (Scotland) Act 2002 (FOISA). As a general point of principle, the Commissioner and the Tribunal is not bound by Court of Session decisions on FOISA, although they may be considered persuasive where the terms of FOISA mirror the terms of FOI. In the Scottish case the applicant specifically wanted the public authority to provide copies of the documents, although he acknowledged that the same information was available elsewhere. The Court confirmed that FOISA entitles requesters to the information within a document, rather than a copy of the document itself. To the extent that this request was specifically for copies of the documents over and above the information they contained, it was invalid. The Court rejected an argument that the copy documents were “information” distinct from the information contained within them.
The Court stated at paragraph 45 of the judgment:
“Where the request does not describe the information requested… but refers to a document which may contain the relevant information, it may nonetheless be reasonably clear in the circumstances that it is the information recorded in the document that is relevant.”
However paragraph 48 should be noted:
“The difference between the original and a copy… does not consist in any difference between the information recorded in each document: that information, if the copy is true and accurate, will be identical.” (my emphasis)
In the IPSA case, the judge ruled that transcriptions of the requested receipts would not be “true and accurate”, as they would not contain all the same information as on the originals e.g. logos, style, layout etc.
If you want to know more on the Scottish case, read the briefing note published by the Scottish Information Commissioner. The basic principles (and these apply equally to FOI requests) are:
The Freedom of Information (Scotland) Act 2002 (FOISA) provides a right of access to information and not a right of access to copies of specific documents.
Authorities should not automatically refuse requests for copies of documents, as long as it is reasonably clear from the request that it is the information recorded in the document that the applicant wants.
Requesting a document (e.g. a report, a minute or a contract) is a commonplace way to describe information. Where it is reasonably clear that a request is for the information contained in a document, the authority should respond to the request as one properly made under FOISA.
If a request is for a document, but it is not reasonably clear what information is being requested, the authority should contact the applicant to seek clarification.
These are interesting decisions especially for those public authorities who often insist, when refusing to supply actual documents (such as minutes of meetings) that FOI is about access to information not documents. Sometimes the requestor is interested in the document, which contains the requested information, as it will give a further insight into its background and the thoughts/observations of the producers/subjects of the document.
“Much will also in practice depend on the wording of the request. Contrast “How much did you spend on pencils?” with “Can I have a copy of your pencil invoices”. You can clearly provide in permanent form all the recorded information within scope of the first request without copies, but not perhaps for the second.”
Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshops which are delivered in online sessions as well as face to face.
Donald Maclean, Freedom of Information and Data Protection Officer at Perth College, recently successfully completed our certificated course; the Practitioner Certificate in the Freedom of Information (Scotland) Act 2002. Here Donald shares his experience and tips for future delegates:
I undertook this course in 2013, and was delighted to see a course that offered certification, and training days that were spread out over 5-6 weeks, which made it much more manageable in terms of my employer’s willingness to sign up for it.
The venue was lovely (overlooking Princes St Gardens in Edinburgh) and the quality of the training was first rate. The trainer (Tim Turner) had a plan, but was willing to take a tangent to address individual issues raised by participants. These tangents, and the highlighting of issues that arise in different types of public authorities, were amongst the most interesting aspects of the course. Examination of the law itself, and how it applies in reality, was detailed, accurate and certainly widened my understanding of the law. Information Commissioner decisions, related to individual aspects of the law, were particularly useful and enlightening.
The course helped me immensely in my job: in terms of added knowledge, procedural aspects, and confidence that decisions and replies would bear scrutiny if examined or challenged. Some aspects of FOISA procedure were altered after this course, to ensure that procedure would lead to the most appropriate and legally sound treatment of FOISA requests. I still keep course materials close to hand, and do still refer to them at times.
Feedback was supplied to my HR department and line manager, and I was able to report that I considered the course to be excellent value for money. Certification was useful in terms of acknowledgement of CPD activities, and also for my professional status.
I tended not to worry too much about the exam. It was made clear that if we did the required reading and familiarised ourselves with course materials and Information Commissioner decisions, we would have the knowledge necessary to pass the exam. So, I did the homework, read the course materials, and paid attention to the content of the Commissioner’s decisions. On the odd occasion during the exam when I drew a blank, I suspect it was due to age and failing memory. The only part of the course I struggled with was the interpretation of the case studies for the projects. I found it difficult to settle on an approach to the case studies, without getting so wide in scope that several scenarios would be required. Once I settled on a case study, and thought about the best approach, everything flowed fairly freely after that.
For future candidates I would recommend the following:
Do the homework.
Remain focussed during training sessions.
Read the course materials, particularly the procedural and exemptions materials.
Learn to pick up the key messages and facts being discussed, and note them briefly in your course materials.
Pay close attention to the reasoning included in Commissioner’s decisions, particularly when undertaking the project.
Ask questions. You usually get a pertinent and helpful reply, and it encourages group discussion.
Don’t worry about the exam. If you’ve listened, discussed and read course materials, you will be fine.
Enjoy the course and the access to expertise.
The Practitioner Certificate in the Freedom of Information (Scotland) Act 2002 is suitable for the FOISA novice as well as the experienced practitioner. Thus far we have had very strong candidates from a variety of backgrounds.
Act Now is pleased to announce that it has recently won a contract to deliver data protection consultancy services to the Government of Brunei.
Negara Brunei Darussalam, to give Brunei its full name, is a small country located in Southeast Asia. It is surrounded by Malaysia and has two parts physically separated by Malaysia. For those (like us) who have never been to Brunei, here is a quick guide.
Amongst other things, Act Now’s work for the Brunei Government will involve developing a Data Protection Audit manual based on the Data Protection Policy released by the Brunei Government. This will include guidance on DP audit planning, preparation and the use of DP audit templates. In time we hope to be training government officials on the developed Audit Manual and procedure.
Act Now has been delivering information governance consultancy services to the UK public sector for many years. This includes preparing for audits, designing standard documents and policies and carrying out DP and FOI health checks. We have also developed a number of off-the-shelf products.
The Brunei project will be led by Ibrahim Hasan and Tim Turner, well known experts and trainers in this field. Commenting on the award of the contract, Ibrahim Hasan said:
“I am very pleased that our good work in the UK has now been recognised internationally. This project will give us an opportunity to showcase our expertise to an international audience. As more countries enact data protection legislation, we hope to be at the forefront of developing products and services that will enable those working in this field to develop their skills.”
If you would like to know more about how Act Now can help you please get in touch by e mail.
The Freedom of Information Act 2000 (FOI) applies to information held by a public authority or held on its behalf by another person (Section 3(2)). What of information about people working for a public authority but who are legally employed by a third party?
This question arose recently in an appeal to the First Tier Tribunal (Information Rights) (FTT). In Hackett v Information Commissioner (EA/2012/0265), the (ULT), an education charity running 21 Academy schools, was asked for, amongst other things, details of senior staff members’ pay, pension contributions, other remuneration and expenses. The request was refused on the basis that the information was not held by ULT, but by the United Church School Trust (UCST) who employed the staff and who, as a non-publicly funded charity, is not subject to FOI.
The appellant argued that the corporate structure of ULT and UCST was an accounting process set up to avoid disclosure of the requested information which was about the spending of public money. In addition he submitted that both companies were subsidiaries of the United Church Schools Company and as such were, in effect, both part of one company.
The FTT upheld the decision of the Information Commissioner that the information was not held by ULT, but by UCST, and so not subject to FOI. It took account of the fact that the corporate structure had been urged on ULT by the Department for Education, the two charities had maintained a complete corporate separation and that the service agreement between ULT and UCST expressly referred to the senior staff being employed by UCST. Could this decision mean that more public bodies will adopt innovative structures to avoid public scrutiny of their finances?
The section 40 exemption applies to personal data disclosure of which would breach one of the Data Protection Principles. This usually involves considering whether disclosure would be fair and lawful under Principle 1. Not all personal data will be exempt from disclosure. Sometimes there is a legitimate interest in the public knowing some personal data.
In Innes v Information Commissioner (EA/2013/0044) the FTT ruled that the reasons for a head teacher’s long-term sickness absence from his school did not have to be disclosed as they constituted personal data, but whether the head teacher was being paid a salary during his absence should be disclosed. As head teacher, the individual in question occupied a senior position of responsibility at the school. He was no longer performing an active function at the school and whether or not he was being paid from public funds during the period of absence and inactivity is a legitimate matter of public interest and one which outweighs his right to privacy.
Personal Data under section 40 has the same meaning as in Section 1 of the Data Protection Act i.e. it has to be information, which relates to a living identifiable individual. The requested information does not always have to include a name. Even job title information can be personal data according to the FTT decision in London Borough of Barnet v Information Commissioner and another (EA/2012/0261). Here the requestor wanted the job titles of council employees who had attended a meeting at a solicitor’s firm in respect of a major council outsourcing project. Referring to a Supreme Court decision (South Lanarkshire Council v The Scottish Information Commissioner [2013] UKSC 55), the FTT ruled that disclosing details of a job title held by more than one local authority official could constitute processing personal data if there was a chance of those individuals being identified. The test was whether the subjects could be identified, not just by an ordinary member of the public but, by a “motivated intruder” (including the requestor himself with all the other information at his disposal).
Continuing on the same theme, inYiannis Voyias v Information Commissioner (EA/2013/0003), the FTT held that the London Borough of Camden was correct to refuse to disclose the number of hours its employees worked and how much overtime they were paid.It was satisfied that disclosure of this information would lead to the identification of individuals and would be unfair. Therefore section 40 applied.
Personal data in Building Regulations applications held by councils is not exempt under section 40 just because it relates to another person’s property. In James Henderson v IC EA/2013/0055), the appellant’s neighbour was carrying out renovations on the other side of their shared wall. This resulted in cracks on his side of the wall, followed by a steel beam coming through the wall. He asked Brentwood Council for details of the works, as a Building Control application had been made to them.
The FTT held that full details of a Building Regulations application was personal data; but disclosing this information would not contravene the First Data Protection Principle. Therefore, the exemption set out in section 40(2) did not apply and the information was ordered to be disclosed. The FTT disagreed with the Commissioner, who held that the data subject would have had a reasonable expectation of privacy in relation to the information. In doing so the FTT took account of the fact that (a) before starting any work the data subject was obliged to make a formal application to the local authority which meant that the property and the work would be subject to inspections by their officers, (b) the property was to be rented out rather than lived in by him; and (c) the work had a direct effect on his neighbour’s property.
The Freedom of Information (Scotland) Act 2002 has a specific exemption to cover a deceased person’s health record. There is no such exemption in the 2000 Act. Sometimes the section 41 exemption (Breach of Confidence) can be claimed.
Two recent Tribunal decisions again emphasise the importance of checking whether the requestor is the deceased’s appointed personal representative. In Webber v IC and Nottinghamshire Healthcare NHS Trust (GIA/4090/2012), the appellant had made an FOI request for information (including hospital records) about the death of her son in 1999. The Commissioner and the FTT upheld the decision to refuse on section 41 grounds. The Upper Tribunal also dismissed the appeal. It ruled that disclosure would entail a Breach of Confidence which was actionable after the patient’s death. The appellant was not the personal representative of the deceased even though she could have applied to become so.
The Upper Tribunal also found that there would not have been a public interest defence to the Breach of Confidence. It gave weight to the fact that some of the information sought would or could come into the public domain or be obtained in another way: a coroners’ inquest, or through an application under the Access to Health Records Act 1990. This allows for requests for access to information to be made by, amongst others, the patients’ personal representative.
When considering disclosure of a deceased person’s information, consideration has to be given to any wishes expressed by the deceased before their death. In Trott and Skinner v Information Commissioner (EA/2012/0195) (March 2013) the appellants requested information relating to the care records of their deceased sister. East Sussex County Council confirmed that it held a relevant care file but refused to disclose it on the basis that it was provided in confidence. The FTT and the Commissioner were satisfied that the section 41 exemption was engaged. The requested information was confidential, disclosure of which would be a Breach of Confidence. Amongst other things it took account of the fact that the deceased was given the opportunity to indicate (in her home care agreement) that she agreed to let the Council “share personal information on care with family members/friends listed below.” She did not sign her agreement or list anybody in the space provided. The Tribunal also heard that on several occasions she was given specific assurances that her information would be kept confidential.
Furthermore the FTT was satisfied that the Breach of Confidence would be actionable. This was despite the fact that the sisters were the next of kin of the deceased. They were not the personal representatives of the deceased though. Neither the council nor the Commissioner had enquired as to who was. On further inquiry by the Tribunal, it was discovered that there was a will and therefore an Executor who has standing to act as the deceased’s personal representative. There was no evidence of consent for disclosure under FOI from this Executor. Therefore section 41 was engaged and there was no public interest defence to the disclosure.
