Category: Personal Data

When is wifi free?

clip_image002

Free (friː/) – adjective: free; without charge, free of charge, for nothing, complimentary, gratis, gratuitous, at no cost; for free, on the house.

adverb: free; without cost or payment. (Avoid freely)

Seems obvious when you ask Google for the definition. No payment of any sort means the goods or service is free. It’s an invitation to enter into a contract but nothing is to be given in exchange for the service of providing wifi. But what if you were asked for something in exchange? What if a shop said wifi is free if you give me an ice cream? Would that make the wifi no longer free? An ice cream certainly exists in a solid form (OK I’ll concede that it has a specific half life) but what if the price was a big kiss or a promise to buy something. Do they exist? Are they tangible? Do they have any value? Does it matter? What if the price was your email address? What if the price was your consent to receive marketing material?

I stayed in a hotel recently that presented me with a card on arrival with my free wifi code. Not even bothering to switch on the TV or use the bathroom (usual bored, middle aged businessman preoccupations) I fired up the laptop.

clip_image004

It’s not an easy screen to read but the word free appears four times. All I had to do is tell them my details.

Why?

If no payment is required no bill will be sent. I could use the code without them knowing anything about me. Starbucks manage to do this without any problems but many purveyors of “free” items need to know your name. Worse they need to know my email. Worse than that they had pre-ticked the yes to Marketing box. I unticked it and tried to subscribe without agreeing to terms and conditions but the system prompted me to a) agree the T&C and b) tick the Marketing box.

I complained to reception saying this wasn’t free. No problems Sir. Click on the Conference button at the top of the screen as you’re in a conference here tomorrow aren’t you (wink, wink) and they won’t ask those questions.

I did but just to be sure I decided to read the T&C. First line said by accepting them I would agree to receiving marketing. Trying to buy without ticking them wouldn’t work.

I told reception and she pointed out that all I had to do was use a code and a password and not give any identifiers (like the ones she had taken on the piece of paper I filled in at reception where the code and password was stored next to my personal details).

Feel free to like this article. Just don’t send money. Or ice creams.

The ICO and Seven Shades of Grey

If you’ve nothing to do at lunchtime and you’re an experienced DP person try the ICO quiz on the difference between Data Controllers and Data Processors. You can find it here. After all it’s not a hard quiz. Data Controllers determine the purpose and own the data; data processors just do as they’re told. For years we’ve had this easy to understand relationship and many organisations have outsourced some work involving personal data, drawn up the contract, monitored the performance of it and we all knew where we were. Data Controllers were liable for any problems and Data Processors just did as they were instructed.

Recent guidance from the ICO changes this. Instead of clear yes/no and black/white definitions the commissioner recommends that each relationship with another person processing your data is examined to see how much influence the other person has over how the data is processed. As a result there are no easy answers. Just some shades of grey.

If you are eager to do the quiz and go for it without reading the guidance prepare yourself for a shock. Better DP experts than yourself have taken the test and not performed at all well.

The guidance is well meaning but bends over backwards to accommodate every possible possibility that it’s not that useful.

Image credit www.jimbanks.com

IAPP Privacy and Freedom: A review by Lawrence Serewicz (@lldzne)

The IAPP has republished Alan Westin’s best-known book, Privacy and Freedom, which was first published in 1967. Despite its age, the new version, it is the same text with several introductory essays, provides context for a reader coming to it for the first time. The introductory essays, which include one by Westin on how he viewed his work and its impact, provide a useful context for the author, the book and its relevance.

capture-20140605-122415

Although the introductory essays offer an insight into the book’s impact and the author’s contribution to privacy professional field, a critical essay would have been welcome because the privacy landscape has changed dramatically. The change is more than technological because it includes the change in cultural attitudes to privacy. The cultural and technological changes have undermined his definition.

For most readers, Westin and his book are best known for providing a robust definition of privacy. His book, and his definition, helped start the debate on privacy, in particular, the fair information practices in the United States, which by turn helped influence the Data Protection Directive in the EU. Westin’s definition is the book’s strength and weakness.

“to control, edit, manage, and delete information about them[selves] and decide when, how, and to what extent information is communicated to others.”

The definition has its critics. Roger Clarke for example criticized the definition as favouring businesses and he provides an alternative definition. He defines it as

“Privacy is the interest that individuals have in sustaining a ‘personal space’, free from interference by other people and organisations”

What is common to privacy definitions is the idea of control, which suggests privacy as autonomy. However, neither definition pays enough attention to the context. Westin’s definition is rightly criticized for its focus on business. However, that is not its weakness. Instead, it is the political context. Westin’s first chapter on history of privacy fails to situate privacy within the context of the state system or within a political philosophical tradition. Without that context, we misunderstand the intrinsic limit to any individual’s control and what that control can meaningfully achieve. In this criticism, I suggest something more than a reliance on human rights. His view fails to recognize that far from controlling his or her data, the modern individual is a creature of the state to the extent that they do not own or control their personal data. For example, we do not own our National Insurance Number, nor do we own our birth registration nor our Driver’s Licence number, yet decisions about us and how those are communicated are beyond our influence, let alone our control. These are records created by and for the state. The individual has a claim on them but cannot be said to own or control them in any meaningful sense.

A second limit to the book is its impact. To be sure, the book helped start and shape the debate over privacy. It remains a touchstone for privacy professionals, but it has had little impact on the general understanding of privacy. Despite the book and its definition, privacy has become increasingly problematic and confused. The extent to which businesses have ignored Westin’s privacy definition is clear in the recent debates and concerns over privacy standards at Google and Facebook. Companies today succeed by exploiting privacy, personal data, and limiting the user’s ability to control or access the personal data held by them. Moreover, the right to be forgotten, which suggests the ability to delete data, remains unachieved despite Westin’s definition.

A related concern is Westin’s definition reflects a US perspective as privacy is approached differently in the UK from the US.[1] The contrast between the two systems limits the book’s final section on policy prescriptions. Although he stressed that privacy is not a technological problem, he failed to address the qualitative changes wrought by “big data”. The technological opportunity changes the way that organisations, and states, can exploit, privacy or personal data, which means personal data can become a commodity. What would have been interesting, though beyond the scope of his original book, is a chapter on personal data as a commodity. However, Westin’s definition still resonates.

Westin’s definition still resonates in the way the UK courts now deal with the tort of misuse of personal information.[2] The tension is revealed because Westin’s definition reflects a US approach to individual rights that is closer in spirit to the EU position than the one based on UK common law. We see this tension in the concern over the effect of disclosure, for example seeking an injunction or seeking damages as in the Weller decision for how others have benefitted from the personal information. However, in the cases, the individuals do not control their personal information in a meaningful sense. We may have redress on its use, but that is not control, which the Fairstar decision seems to suggest.[3]

Dr Lawrence Serewicz is a Principal Information Management Officer at Durham County Council. The views expressed in this article are his own and do not represent the views of the Council.

Looking for a Practical DP qualification to enhance your skills and boost your career prospects? The new Act Now Data Protection Practitioner Certificate course is booking up fast.

[1] http://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=3136&context=dlj

RJ Krotoszynski Jr – ‎1990 AUTONOMY, COMMUNITY, AND TRADITIONS OF LIBERTY: THE CONTRAST OF BRITISH AND AMERICAN PRIVACY LAW Duke Law Journal Vol 39 no. 6 1990:1398

[2] See for example, his summary of the tort and its legal context as well as recent cases exploring it. http://ukhumanrightsblog.com/2014/01/23/new-year-new-tort-of-misuse-of-private-information/

See also this analysis http://www.panopticonblog.com/2014/01/16/the-googlesafari-users-case-a-potential-revolution-in-dpa-litigation/ The Weller decision that is the most recent application of the misuse of personal information tort is here http://www.bailii.org/ew/cases/EWHC/QB/2014/1163.html [2014] EWHC 1163 (QB) The judgement provides a good summary of the case law leading to the decision. Imagine rights, let alone personal information rights, is another field to consider. http://inforrm.wordpress.com/2014/04/30/weller-article-8-and-the-recognition-of-image-rights-hugh-tomlinson-qc/

[3] http://www.bailii.org/ew/cases/EWHC/TCC/2012/2952.html fairstar [2012] EWHC 2952 (TCC), [2013] Bus LR D73, [2012] 2 CLC 795

The new EU Data Protection Regulation; Shoulda, Woulda, Coulda?

MC900440392

On the 13th March 2014 the European Union (EU) Parliament voted with an overwhelming majority to approve a new Data Protection Regulation within the EU. Voting on the initial text that was put forward by the Commission, and not the text put forward by the LIBE committee, the EU Parliament seem to have taken a “middle path” with regards to how this Regulation should work. Many of the Commission’s proposed appointed powers have gone, there doesn’t appear to be any “strict” provisions in there that the LIBE committee would have wanted and yet this approved draft is proposing a comprehensive and different world for Data Protection.

A fully updated draft has not been released by the EU as yet so I went through the painstaking task of making the edits confirmed by the EU to the original commission text. I can safely say I won’t be doing that again and once the approved draft is published I highly recommend that you read through from the beginning to get a flavour of where the regulation is heading and the wording used. I have however pulled out some of the highlights below for general consumption. Before I start however, I will declare that I am from the private sector but as Data Protection & Privacy is more than just a job for me (it’s a passion) I’m not one of those people that have campaigned against it (even if I think some if it is just barmy in my humble opinion).

For those that have worked only with the UK Data Protection Act this new world comes as a bit of a shock. Instead of a principle based approach the current regulation is more of a “financial regulation” with specific stances, requirements and demonstrations that certain things are occurring within an entity. For example, Point 60 requires Data Controllers to demonstrate and ensure compliance with the regulation, with a new sentence stating “this should be verified by independent internal or external auditors”.

However having said that, the EU Parliament have edited Point 65, so that it clears up the “administrative burden” query (or tries to) by stating that yes controllers must demonstrate compliance with the regulation however “equal emphasis and significance should be placed on good practice and compliance and not just the completion of documentation”. One assumes therefore that auditing to “a check list” isn’t going to occur even though the regulation spells out some things that need to be done specifically. Interesting…

‘Data Protection Impact Assessments’ are now outlined in points 71a&b and are very similar to the commission’s proposal that assessments should be done on the lifecycle of information management for processing of personal data. Section 75 states that for public sector bodies processing sensitive personal data or data on more than 5000 data subjects in 12 months they will need to periodically monitor compliance with the regulation. Is the requirement to self-audit the same as the requirement to tick a box?

The phrase that appeared in the initial draft on ‘data portability’ has also changed. It is still there but now Point 55 changes the “right to data portability” to “controllers should be encouraged to develop interoperable formats that enable data portability”. Encouraged how and by whom still remains to be seen.

Another ‘hot phrase’ in the initial draft and current buzz word after the European Court of Justice decision is the “right to be forgotten”, and as predicted that has been changed to now Point 53 has been updated to state that “the right to be forgotten” is indeed now to be called the “right to erasure” and that this right is overwritten where processing is needed for the performance of a contract or to meet local legal requirements. Point 54 & 54a specifically make reference to “online information” and the requirement for the facilitator to block or remove such data if the data subject requests.

On that point, similar concerns around the watering down of legitimate interests have also tried to be abated in this text, and now Point 39 specifically outlines a purpose for processing personal data being a valid “legitimate interest”. Namely the processing for Information Security / Network Security purposes where strictly necessary. 39a also outlines that ‘legitimate interest’ can also include processing for the prevention or limitation of damages on the controller, providing this does not significantly go against the data subject’s rights and freedoms. 39b adds direct marketing processing as a ‘legitimate interest’ again providing this does not go against the rights and freedoms of the individual. Is it me or do some of these provisions say “You can do it, but…”.

There are some further oddities in here; for example, point 32 states that if a controller does not want to follow ‘data minimisation’ requirements there is a burden of proof to justify the processing of Personal Data for that specific purpose / scenario. Again this is nothing new as this is in line with the principles of the UK DPA but we have not seen a requirement to document and justify before. 32 also states that collecting consent on behalf of 3rd parties is no longer seen as valid consent. Therefore if a business needs 3rd party data alongside the initial data subject’s data would it need to contact said 3rd party to seek consent. But then, isn’t it processing said data in order to contact them to get the consent? How would this work I wonder… citizens aren’t going to this for controllers so what other options are there?

Talking of consent, the concern that consent becomes more specific hasn’t been removed as Point 25 clarifies that consent will require “clear affirmative action” by a data subject in order to be seen as a valid consent. Silence or simply use by the data subject of a service would not be acceptable as a valid consent to process personal data. To the above point, how would a controller get such consent from 3rd parties?

Consent has also been factored in for the use of profiling and that consent can be removed at any time. However Point 58 has been updated to state the for profiling, “Profiling which leads to measures producing legal effects concerning the data subject or does similarly significantly affect the interests, rights or freedoms of the concerned data subject should only be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent”. Now here I believe that “carried out in the course of entering or performance of a contract” means that credit profiling can continue in the UK otherwise these seems to conflict with current legal requirements on Banks and Lenders to ensure that you as the customer can afford the product they offer and that you as the lender are lending responsibly – this can only be done by credit profiling surely?

Another area of concern from the initial text was around breach notification. There is still no useful outline as to what a material breach consists of however Point 67 confirms that data breach notification to the relevant authority “should be presumed to be not later than 72 hours” – somewhat better than the initial 24 hours but still something causing concern among various industries.

On the up side however, a new point specifically referencing Freedom of Information has been added. Point 18 has been updated to make reference to relevant member states Freedom of Information (FOI) legislation and how this regulation interacts with that. That’s some concerns appeased… or is it?

The EU Parliament have also updated what is expected of us DPOs and point 75a states that DPOs should have the following experience / qualifications;

  • extensive knowledge of the substance and application of data protection law, including technical and organisational measures and procedures;
  • mastery of technical requirements for privacy by design, privacy by default and data security;
  • industry-specific knowledge in accordance with the size of the controller or processor and the sensitivity of the data to be processed;
  • the ability to carry out inspections, consultation, documentation, and log file analysis;
  • and the ability to work with employee representation.

The controller should enable the data protection officer to take part in advanced training measures to maintain the specialized knowledge required to perform his or her duties.

Overall the current draft regulation has either been improved from what it was, stayed the same, or gotten worse in some places.

There are some ups and downs, and a few more changes that have been made that I have not referenced here (as I could be here all day). As for next steps for the Regulation I really don’t know who to believe. The ICO in a recent statement stated that they don’t believe there will be a tangible regulation until 2017 at the earliest. But in the same breath they also said (they being David Smith the Deputy ICO) that you should get your house in order now with current requirements as this puts you in a good place ready for the Regulation in 2017. Given how the Parliament approved the text way ahead of schedule and that this piece of legislation is the “most lobbied and campaigned on” in the EU’s history I am inclined to believe that all bets are off. I can see the case that it will come through quickly, especially as the EU is very defensive of Data Protection and Privacy of late. But then I also see the argument and stance from the European Council that they don’t want to rush this and instead want to take their time. As this Regulation would need agreement from the Council, the Parliament and the Commission I can see it rattling on for a while. But, as my favourite TV programme as a child used to say “Stand by for action; anything can happen in the next half an hour”. (For those that don’t know, that was from Stingray – and yes, I am a Geek that needs to get out more).

I have my word document unofficial text which I am happy to share on request but it is very much unofficial and really isn’t to be considered “official” in any capacity. Well worth a read though, and again I recommend that when the official text is finally updated and released (the EU moves at its own pace on such things) that you have it as some bed time reading to fill you with hope (and possibly nightmares).

Nighty night.

Scott Sammons is currently a European Data Protection Officer within the Finance Industry and blogs under the name @privacyminion . Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate which is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

Definition of Personal Data: Durant Revisited

DPA22December 2013 marked the 10-year anniversary of one of Data Protection’s most notorious developments, but it came and went without any great fanfare.

It’s not really surprising that the Information Commissioner’s Office (ICO)  didn’t issue a press release celebrating the Durant judgment’s birthday, as they have been quietly attempting to erase it from history. The result of a long-running dispute between a former Barclays Bank customer and the now defunct Financial Services Authority, Durant v Financial Services Authority [2003] EWCA Civ 1746 was a significant case. The Court of Appeal judges took a sharp look at the definition of personal data, what kinds of manual files are covered by subject access, and the purposes for which subject access can be used – with controversial results. I happened to speak to a former colleague at the ICO a day after Durant was published, and he described the atmosphere as ‘panic’.

Some of Durant is helpful – the judgement proposes that personal data:

should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest”.

Those who have worked on Data Protection for a long time will have encountered the view that the mere mention of a person’s name in an email meant that they were entitled to receive it. Durant torpedoed that notion. Other elements remain contentious – the ICO has never agreed with the assertion in paragraph 27 that subject access should not be used “to obtain discovery of documents that may assist him in litigation or complaints against third parties”, The new ICO Subject Access Code rejects this notion altogether, despite the fact that the lower courts have followed the principle every since. However, Durant’s most irksome element – ‘biographical significance’ – has been put in its place by the same court that invented it.

Mr Durant sought data about the FSA’s investigation into his complaints about Barclays, and his lawyers used an expansive interpretation of ‘personal data’ to stake his claim. The FSA’s focus was on Barclays and its practices, which meant that much of the correspondence Durant wanted was about the bank. He also wanted the names of the FSA staff that had dealt with his complaint. Unfortunately, Auld LJ linked the sensible idea of focus to a notion of ‘biographical significance’ test, stating that personal data must be “information that affects [a person’s] privacy, whether in his personal or family life, business or professional capacity”. This was a complicating and potentially unhelpful development. Focus makes sense – an email in which your name is mentioned in passing may well not be about you. But biographical significance is an unnecessary and restrictive innovation.

For example, when looking at a CCTV image with a person in the centre and bystanders in the background, the idea of ‘focus’ allows you to distinguish between the obvious subject of the image and the others. But asking whether the image is biographically significant raises the possibility that a clear picture of a living, identifiable person isn’t actually personal data if it has no private connotations. Is an image of me walking down the street biographically significant? Many have adopted biographical significance as a rule of thumb, a test to apply whenever the question of personal data was raised. In the public sector, it could mean that data about people that wasn’t biographically significant could be disclosed under the Freedom of Information Act 2000 (FOI) because it wasn’t technically ‘personal data’. In the private sector, anything not ‘biographically significant’ could be legally invisible, subject to none of Data Protection’s requirements.

The ICO’s approach to Durant – after the alleged panic subsided – was initially mixed, but for quite a few years it has been consistent. As some sort of riposte to Durant, in 2007 they published technical guidance on the meaning of ‘personal data’ called ‘Determining what is personal data’ – rather than Durant’s narrow, privacy-piercing interpretation. There are few references to Durant anywhere in the ICO’s output, but the technical guidance makes clear that testing ‘biographical significance’ is far from being an automatic or necessary step – it is for borderline cases when context and common sense don’t get you to the answer.

Many data controllers have been tempted to use Durant as a way of shrinking Data Protection down to a comfortable size. Indeed, when considering FOI cases involving personal data, the First Tier Tribunal appears to see the test as an inherent part of the decision, and biographical significance is often a feature of FOISA decisions by the Scottish Information Commissioner. Nevertheless, the ICO’s 2007 interpretation of Durant is logical. LJ Auld himself said that biographical significance was a notion “that may be of assistance” rather than a fundamental key to understanding personal data. Just as important was the balance provided by Buxton LJ, who noted at the end of the judgement that the tests were “a clear guide in borderline cases”. The Durant case was – in effect – about Mr Durant’s case, and didn’t change Data Protection as much as some have suggested.

For confirmation of this, fast-forward to Edem v IC & Financial Services Authority [2014] EWCA Civ 92, a Court of Appeal decision on a different case concerning another unhappy FSA (now the Financial Conduct Authority) complainant published this month. Mr Durant wanted to use Data Protection subject access to obtain his own data, and everything connected with it. Mr Edem wanted to use FOI to find out data about other people – specifically, the names and job titles of the junior staff who had dealt with his complaint. The FSA and Information Commissioner agreed that the data was personal, and that disclosure was unfair. So far, so uncontroversial. A spanner was thrown into the works by the First Tier Tribunal, to which Mr Edem appealed the ICO Decision. Using the biographical significance test, the FTT found that names and job titles were not biographically significant, and the focus of the information sought by Mr Edem was the investigation. The Edem FTT case was like a hall of mirrors, distorting and reflecting Durant to the extent that a type of information Mr Durant couldn’t get from the FSA under DP was now available to Mr Edem under FOI.

An appeal to the Upper Tribunal restored the ICO position, and so Mr Edem went to the Court of Appeal. A few cases – mainly resulting from appeals on FOISA decisions – have gone high enough in the UK court system to challenge Durant, but all skirted Durant itself. The Edem case was different – Durant and biographical significance had to be looked at head-on. The result is good news for common sense and data subjects, but bad for anyone who wants to finagle their way out of an awkward subject access request.

Paragraph 17 of the Edem Court of Appeal case isn’t the death knell for Durant, but it’s a healthy and heavy dose of context:

The First Tier Tribunal were wrong to apply Auld LJ’s “notions” in this case”.

When trying to work out whether a person’s name is personal data, the Court says that biographical significance is irrelevant. The question is whether the data identifies a living individual, and without any complicating or contradictory factors, the data is all you need. My name is Tim Turner, and while that’s not enough to find the bearded Act Now Trainer on the internet (there are country singers and ice hockey players and the man who played the Invisible Man in TV in the 1950s to sort through), it’s easily enough to locate information about me in any of the places I have worked. The Court of Appeal in Edem wholly endorses the ICO view of biographical significance as an occasional add-on, and uses Buxton LJ’s comments from Durant itself to back up that approach.

If it was wrong to overplay the effect of Durant, it’s equally wrong to overplay Edem. For the public sector, Durant was always blunted by the onset of FOI – if you successfully argued that data wasn’t personal data about the subject access applicant, they could always ask for it under FOI. The new judgment doesn’t give new rights to data subjects or expand Data Protection’s reach. A person who wants to use Data Protection to get access to large amounts of information to which they have some loose or stretched connection will come to grief just as Mr Durant did. But the Edem case does restore logic – data that identifies a person, even in a relatively benign or innocuous way – is personal data. The Eight DP Principles apply. Even when at work and doing mundane professional tasks, the DPA is likely to be engaged. An apparent loophole has not been closed – the Edem case simply confirms that it was a lot smaller than it may have appeared. The ICO approach is vindicated, and both the First Tier Tribunal and bloody-minded data controllers may have to think again.

Tim Turner is one of Act Now’s well-known data protection experts. He will be considering this and other latest Data Protection developments in his forthcoming DP Update workshops . Read more of Tim’s expert analysis on his blog. Readers wanting to see how the Durant case has been applied in previous decisions should read Ezsias v The Welsh Ministers (2007).

What is “information” under FOI?

canstockphoto0925773Section 1 of the Freedom of Information 2000 (FOI) contains the general right of access to information held by public authorities. But what exactly is “information”? Section 84 defines information as “information recorded in any form.” This includes information held on paper, computer, video, audiotapes as well as that contained in manuscript notes. FOI does not give access to information that is known to the public authority but is not available in some recorded form (see Ingle v Information Commissioner (EA/2007/0023) ).

Mere marks made on documents are also information according to an Information Tribunal decision from 2009 (O Connell v the Information Commissioner and Crown Prosecution Service (EA/2009/0010)). Here the Tribunal considered access to manuscript notes made by a defence barrister, during a criminal trial, on his client’s typed police interview record. The Information Commissioner’s view was that some of the notes, which consisted of asterisks and underlining of words on a document, were not information for the purposes of FOI.

The Tribunal rejected this submission. In its view, however tenuous and potentially misleading the material sought may be, it still constituted information; even if it was only information to the effect that certain marks had been made on certain sheets of paper held by the public authority. The Tribunal did however rule that the requested information was sensitive personal data, disclosure of which would breach the Data Protection Principles. Consequently it was exempt under section 40(2) being third party personal data.

It is an oft-repeated phrase that FOI provides a right of access to information rather than documents. However, a request for a copy of a document will generally be a valid request for all of the information contained within that document (including visual format, design, layout etc). In considering whether the public authority has complied with the request, the question is whether all of the information recorded in the document has been provided. It will not be sufficient to rephrase the document or provide an outline or summary of its contents unless the applicant has specifically expressed a preference for a digest or summary under section 11(1)(c).

In April 2013 the First Tier Tribunal (Information Rights), ruled that images of MPs’ expense claim receipts was information to which the FOI applied (IPSA v Information Commissioner (EA/2012/0242)). The background to the request was that, following the MPs’ expenses scandal, the then newly-formed Independent Parliamentary Standards Authority (IPSA), decided that it would not routinely publish images of the receipts submitted to IPSA by MPs in support of their expenses claims.  Only text transcribed from the submitted receipts would be published.

A journalist made an FOI request for the actual receipts submitted by a number of MPs. The question arose as to whether images of those receipts held by IPSA contained “information” within the meaning of section 1 of FOI, which was not captured by the transcription process favoured by IPSA. The Tribunal concluded that the definition of information (in this case) included logos, letterheads, handwriting, manuscript comments, and even the layout and style of the requested documents. These were not disclosed to the requestor as a result of providing a transcription, rather than a copy, of the relevant receipts.

The Upper Tribunal’s appeal decision in this case, has now put the matter beyond doubt. In Independent Parliamentary Standards Authority v IC & Leapman [2014] UKUT 33 (AAC) Judge Williams dismissed the appeal by IPSA. At Paragraph 22 of the judgement he said:

“It is to me also trite to note that the wording on a typical receipt or invoice is only part of what a recipient sees when looking at it. Typically there will be verbal and numerical content to be read and understood, but there will also be visual content to be seen, rather than read, but which may also require to be understood for the recipient to have appreciated the whole of the experience, if I may term it that, communicated by the receipt or invoice.”

In the judge’s view information is more than just the words and figures on a piece of paper. Sometimes the nature of the request will mean that the only way to convey all the information on a document is to disclose the original or at least a copy. He gave the example of Land Registry plans, drawings and photographic evidence of a particular building.

In coming to his decision the judge took note of the Scottish Court of Session decision in Glasgow CC v SIC [2009] CSIH 73 under the Freedom of Information (Scotland) Act 2002 (FOISA). As a general point of principle, the Commissioner and the Tribunal is not bound by Court of Session decisions on FOISA, although they may be considered persuasive where the terms of FOISA mirror the terms of FOI. In the Scottish case the applicant specifically wanted the public authority to provide copies of the documents, although he acknowledged that the same information was available elsewhere. The Court confirmed that FOISA entitles requesters to the information within a document, rather than a copy of the document itself. To the extent that this request was specifically for copies of the documents over and above the information they contained, it was invalid. The Court rejected an argument that the copy documents were “information” distinct from the information contained within them.

The Court stated at paragraph 45 of the judgment:

“Where the request does not describe the information requested… but refers to a document which may contain the relevant information, it may nonetheless be reasonably clear in the circumstances that it is the information recorded in the document that is relevant.”

However paragraph 48 should be noted:

“The difference between the original and a copy… does not consist in any difference between the information recorded in each document: that information, if the copy is true and accurate, will be identical.” (my emphasis)

In the IPSA case, the judge ruled that transcriptions of the requested receipts would not be “true and accurate”, as they would not contain all the same information as on the originals e.g. logos, style, layout etc.

If you want to know more on the Scottish case, read the briefing note published by the Scottish Information Commissioner. The basic principles (and these apply equally to FOI requests) are:

  • The Freedom of Information (Scotland) Act 2002 (FOISA) provides a right of access to information and not a right of access to copies of specific documents.
  • Authorities should not automatically refuse requests for copies of documents, as long as it is reasonably clear from the request that it is the information recorded in the document that the applicant wants.
  • Requesting a document (e.g. a report, a minute or a contract) is a commonplace way to describe information. Where it is reasonably clear that a request is for the information contained in a document, the authority should respond to the request as one properly made under FOISA.
  • If a request is for a document, but it is not reasonably clear what information is being requested, the authority should contact the applicant to seek clarification.

These are interesting decisions especially for those public authorities who often insist, when refusing to supply actual documents (such as minutes of meetings) that FOI is about access to information not documents. Sometimes the requestor is interested in the document, which contains the requested information, as it will give a further insight into its background and the thoughts/observations of the producers/subjects of the document.

Finally to quote one of our FOI trainers (Philip Bradshaw):

“Much will also in practice depend on the wording of the request. Contrast “How much did you spend on pencils?” with “Can I have a copy of your pencil invoices”. You can clearly provide in permanent form all the recorded information within scope of the first request without copies, but not perhaps for the second.”

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshops which are delivered in online sessions as well as face to face.

Freedom of Information Caselaw Roundup

FOI3The Freedom of Information Act 2000 (FOI) applies to information held by a public authority or held on its behalf by another person (Section 3(2)). What of information about people working for a public authority but who are legally employed by a third party?

This question arose recently in an appeal to the First Tier Tribunal (Information Rights) (FTT). In Hackett v Information Commissioner (EA/2012/0265), the  (ULT), an education charity running 21 Academy schools, was asked for, amongst other things, details of senior staff members’ pay, pension contributions, other remuneration and expenses.  The request was refused on the basis that the information was not held by ULT, but by the United Church School Trust (UCST) who employed the staff and who, as a non-publicly funded charity, is not subject to FOI.

The appellant argued that the corporate structure of ULT and UCST was an accounting process set up to avoid disclosure of the requested information which was about the spending of public money. In addition he submitted that both companies were subsidiaries of the United Church Schools Company and as such were, in effect, both part of one company.

The FTT upheld the decision of the Information Commissioner that the information was not held by ULT, but by UCST, and so not subject to FOI.  It took account of the fact that the corporate structure had been urged on ULT by the Department for Education, the two charities had maintained a complete corporate separation and that the service agreement between ULT and UCST expressly referred to the senior staff being employed by UCST. Could this decision mean that more public bodies will adopt innovative structures to avoid public scrutiny of their finances?

The section 40 exemption applies to personal data disclosure of which would breach one of the Data Protection Principles. This usually involves considering whether disclosure would be fair and lawful under Principle 1. Not all personal data will be exempt from disclosure. Sometimes there is a legitimate interest in the public knowing some personal data.

In Innes v Information Commissioner (EA/2013/0044) the FTT ruled that the reasons for a head teacher’s long-term sickness absence from his school did not have to be disclosed as they constituted personal data, but whether the head teacher was being paid a salary during his absence should be disclosed. As head teacher, the individual in question occupied a senior position of responsibility at the school. He was no longer performing an active function at the school and whether or not he was being paid from public funds during the period of absence and inactivity is a legitimate matter of public interest and one which outweighs his right to privacy.

Personal Data under section 40 has the same meaning as in Section 1 of the Data Protection Act i.e. it has to be information, which relates to a living identifiable individual. The requested information does not always have to include a name. Even job title information can be personal data according to the FTT decision in London Borough of Barnet v Information Commissioner and another (EA/2012/0261). Here the requestor wanted the job titles of council employees who had attended a meeting at a solicitor’s firm in respect of a major council outsourcing project. Referring to a Supreme Court decision (South Lanarkshire Council v The Scottish Information Commissioner [2013] UKSC 55), the FTT ruled that disclosing details of a job title held by more than one local authority official could constitute processing personal data if there was a chance of those individuals being identified. The test was whether the subjects could be identified, not just by an ordinary member of the public but, by a “motivated intruder” (including the requestor himself with all the other information at his disposal).

Continuing on the same theme, in Yiannis Voyias v Information Commissioner (EA/2013/0003), the FTT held that the London Borough of Camden was correct to refuse to disclose the number of hours its employees worked and how much overtime they were paid. It was satisfied that disclosure of this information would lead to the identification of individuals and would be unfair. Therefore section 40 applied.

Personal data in Building Regulations applications held by councils is not exempt under section 40 just because it relates to another person’s property. In James Henderson v IC EA/2013/0055), the appellant’s neighbour was carrying out renovations on the other side of their shared wall. This resulted in cracks on his side of the wall, followed by a steel beam coming through the wall. He asked Brentwood Council for details of the works, as a Building Control application had been made to them.

The FTT held that full details of a Building Regulations application was personal data; but disclosing this information would not contravene the First Data Protection Principle. Therefore, the exemption set out in section 40(2) did not apply and the information was ordered to be disclosed. The FTT disagreed with the Commissioner, who held that the data subject would have had a reasonable expectation of privacy in relation to the information. In doing so the FTT took account of the fact that (a) before starting any work the data subject was obliged to make a formal application to the local authority which meant that the property and the work would be subject to inspections by their officers, (b) the property was to be rented out rather than lived in by him; and (c) the work had a direct effect on his neighbour’s property.

The Freedom of Information (Scotland) Act 2002 has a specific exemption to cover a deceased person’s health record. There is no such exemption in the 2000 Act. Sometimes the section 41 exemption (Breach of Confidence) can be claimed.

Two recent Tribunal decisions again emphasise the importance of checking whether the requestor is the deceased’s appointed personal representative. In Webber v IC and Nottinghamshire Healthcare NHS Trust (GIA/4090/2012), the appellant had made an FOI request for information (including hospital records) about the death of her son in 1999. The Commissioner and the FTT upheld the decision to refuse on section 41 grounds. The Upper Tribunal also dismissed the appeal. It ruled that disclosure would entail a Breach of Confidence which was actionable after the patient’s death. The appellant was not the personal representative of the deceased even though she could have applied to become so.

The Upper Tribunal also found that there would not have been a public interest defence to the Breach of Confidence. It gave weight to the fact that some of the information sought would or could come into the public domain or be obtained in another way: a coroners’ inquest, or through an application under the Access to Health Records Act 1990. This allows for requests for access to information to be made by, amongst others, the patients’ personal representative.

When considering disclosure of a deceased person’s information, consideration has to be given to any wishes expressed by the deceased before their death. In Trott and Skinner v Information Commissioner (EA/2012/0195) (March 2013) the appellants requested information relating to the care records of their deceased sister. East Sussex County Council confirmed that it held a relevant care file but refused to disclose it on the basis that it was provided in confidence. The FTT and the Commissioner were satisfied that the section 41 exemption was engaged. The requested information was confidential, disclosure of which would be a Breach of Confidence. Amongst other things it took account of the fact that the deceased was given the opportunity to indicate (in her home care agreement) that she agreed to let the Council “share personal information on care with family members/friends listed below.” She did not sign her agreement or list anybody in the space provided. The Tribunal also heard that on several occasions she was given specific assurances that her information would be kept confidential.

Furthermore the FTT was satisfied that the Breach of Confidence would be actionable. This was despite the fact that the sisters were the next of kin of the deceased. They were not the personal representatives of the deceased though. Neither the council nor the Commissioner had enquired as to who was. On further inquiry by the Tribunal, it was discovered that there was a will and therefore an Executor who has standing to act as the deceased’s personal representative. There was no evidence of consent for disclosure under FOI from this Executor. Therefore section 41 was engaged and there was no public interest defence to the disclosure.

Give your career a boost in 2014 by gaining an internationally recognised qualification in FOI. Keep up to date with all the latest FOI decisions in 2014 by attending our FOI Update workshops.