How to send sensitive bulk emails

Chelsea and Westminster Hospital NHS Foundation Trust has been fined £180,000 after revealing the email addresses of more than 700 users of an HIV service. This was a classic case of putting all the email addresses of a large circulation group into the CC field so that all users saw everyone else’s email address.

Many of the email addresses would clearly identify individuals and therefore potentially reveal their HIV status to everyone else due to the nature of the email.

ICO essentially found two breaches of the seventh data protection principle:

  • Failing to use an account that could send a separate email to each service user.
  • Failing to provide staff with specific training on the importance of double checking that the group e-mail addresses were entered into the “bcc” field.

This possibly sends a confusing message. If staff had received “specific training on the importance of double checking that the group e-mail addresses were entered into the “bcc” field” but still made an error would there still have been a fine? Is that sufficient as an appropriate technical and organisational measures against unauthorised disclosure of personal data?

I would strongly argue that it is not, when dealing with the most sensitive of personal data as in this case. Well trained staff still make mistakes. In my view employers in this situation should apply poke-yoke principles and not allow this to happen. Such mailing lists MUST be handled by proper management software.

Applying that then it is arguable that the second heading should not have been cited as a causative breach, although it may perhaps have been an aggravating factor. The danger is that ICO findings may lead some to assume that either one of two preventative actions is sufficient even for extremely sensitive data. Using BCC should not be.

Posted in DPA | Leave a comment

Royal Free NHS Trust and Google UK

The murky world of Information Governance in the NHS has been further stirred by the story of the arrangements between the Royal Free Trust and Google UK.

The BBC and others have reported a “data-sharing agreement” between the two. Google will use data derived from access to 1.6 million patient records to develop an app known as Streams that will alert doctors when someone is at risk of developing acute kidney injury.

The agreement (or at least a part of it – there may be more) may be found here. It is headed “Information Sharing Agreement”. It states however quite clearly that Royal Free is at all times the data controller, and Google just a processor. If that is correct it is a data processing agreement or contract not an information sharing agreement. The two are quite distinct though they may run in parallel.

Categorising it as a processing agreement may well account for much of Royal Free’s confidence, see original BBC article and this follow up, that the arrangement breaches neither the data protection principles nor the law of confidentiality.

However it is not entirely clear whether the agreement fully complies with principle 7 of the Data Protection Act which requires a “contract”. Does the document disclose any consideration? Are Google being paid? Who will own the rights to develop and exploit any app or product they develop? Perhaps Google is getting something wider out of this arrangement – e.g. a proof of technology platform? What, really, is the “purpose” as rather vaguely set out at the top of page 3? Whose purposes are these?

Putting those concerns to one side, there is a more fundamental problem. Saying Royal Free is the data controller and Google a mere processor simply does not make it so. These terms are legally defined in section 1 of the Act and illustrated in the ICO guidance.
As noted above it looks pretty clear to an outsider that Google has its own purposes in relation to the use of this data – if that is in any way true they are a data controller as well.

One should also ask what degree of independence that Google has in determining how and in what manner the data is processed. Are Royal Fee really, or indeed competent, to direct Google in its endeavours? If you look at the ICO guidance and examples, and assume ICO is competent in this field, it is almost impossible as an outsider to conclude that Google, with all its specialist skills and knowledge as a data analyst, is not acting, in part, as a data controller. Consider in particular the ICO examples at paragraphs 29-30, and 46-47.

So perhaps it IS a data sharing agreement after all. In which case, as others have commented, it is difficult to see how it complies with the Data Protection Act. Google will be processing sensitive personal data and no Schedule 3 condition in the Act appears to apply. They have no explicit consent and Schedule 3 Condition 8 is not apt.
Further, if in any way Google’s processing as a controller goes beyond that of the direct care of those patients with acute kidney injury, as it seems it surely must, then there is a breach of medical confidentiality which cannot be overcome. Consent to share records other than for direct care cannot be implied and can only be overcome by a dispensation under s251 of the NHS Act 2006 and a search of the current register does not suggest any approval has been given. Perhaps not surprising given the apparently erroneous casting (albeit misnamed!) of the arrangement as merely “data processing”.

Posted in DPA | Leave a comment

NHS Email Armageddon 2016

All intelligent people understand that email and the personal inbox is not a good place to store and manage corporate information.

Many organisations will have formal policies which forbid, frown on, or discourage such practices. A small subset of those may even provide an attractive alternative. Nevertheless most records managers have sleepless nights and dali-esque nightmares involving bloated inboxes (10000 plus messages “just-in-case”) full of stuff (most of it personal data) which has long since passed its sell-by date and been officially deleted. Typically they will also have data protection and sometimes Freedom of Information responsibilities.

The NHS is of course enlightened and has an IG Toolkit which prevents this sort of thing. The NHSMail “Acceptable use policy plays its part in compliance: “NHSMail … is not designed as a document management system. Documents or emails that are required for retention / compliance should be stored within your organisation’s document management system in accordance with local Information Governance policies.” [This paragraph is the April Fool section – the rest is true.]

In practice one of the few tools the diligent records manager has to limit the damage is the email quota. This eventually forces people (other than senior managers who have a secret tool to increase their quota) to sort out the worst and oldest of the mess. Sometimes (rarely but we can hope) at this point they seek advice.

So wake up NHS records managers. NHSmail2 is nearly docked. The base quota is about to be increased from a typical 400mB (bad enough!) to 4gB for all users.

Posted in DPA | Leave a comment

The appeal of Alzheimers

On 5th January 2016 the Information Commissioner (“ICO”) served an Enforcement Notice (“EN”) on the Alzheimer’s Society under s40 of the Data Protection Act 1998 (“the Act”). The background is set out in the EN and need not be repeated here save to note that there is a clear history of concern on the part of the ICO as to whether the Society was complying with its duties under the Act.

The Society is appealing against the EN, or at least some parts of it and this has garnered much criticism in some quarters (see e.g. here including an adverse comment by me), to the effect that the Society should simply get on with what it should do to comply and not waste charity monies on unmerited appeals. The Society has defended its actions essentially on the basis that aspects of the EN are unclear and this is particularly unfair (they say) given that they have limited resources. Resource is a relevant issue – see Schedule 1 Part II Paragraph 9 of the Act. One would not expect them to go into more detail at this stage.

As a matter of law one must have some sympathy with their position. Failure to comply with an EN is a criminal offence. See s47. An EN may therefore effectively be equated with a court order.  It is clear law in many areas that a court order must be precise and capable of being understood by the person to whom it is directed. That person must be clear and in no doubt as to the steps that are required for compliance. An issue here clearly is whether an EN should be similarly clear given the potential sanction for breach

As indicated the full basis of the appeal is not known at this stage but consider paragraph 9 of the EN which perhaps most clearly raises the issues:

“Appropriate organisational and technical measures are taken against the unauthorised access by staff (including volunteers) to personal data”

That is effectively a statement of the requirement in data protection principle 7. But the EN does not say what ICO considers to be appropriate on the facts of the case. How will the Society know if and when it has met the relevant standard? Is this part of the Order sufficiently clear? Privacy and data protection advisers will know just how difficult it is in practice to set the relevant standard for a particular organisation, given that the standard is mutable having reference to the factors set out in paragraphs 9-12 of Schedule 1 Part II.

Similar issues arise on other parts of the EN but perhaps to a lesser extent. For example paragraph 5 refers to encryption “.. which meets the current standard or equivalent”. Which current standard? AES? DES? 128 bit? 256 bit? Quantum cryptography?

The appeal if it is pursued actually raises therefore a matter of general importance relating to EN’s. This issue can arise in other areas. For example a subject may claim he has not received all the personal data he is entitled to following a subject access request under s7 of the Act. The ICO on investigation agrees and orders the data controller to disclose “all the personal data to which the subject is entitled”, or something similar, where one issue was whether certain information was or was not ‘personal data’. Is that acceptable or must the ICO go through the material and decide and specify exactly what he considers to be personal data so that the data controller is in no doubt at all what he needs to disclose?

A decision in this case may bring some welcome clarity.

In fairness I must mention the defence in s47(2) of the Act. A data controller is not guilty of an offence if he “exercised all due diligence to comply with the notice in question”. There may be an issue as to whether, and as to the extent to which, the availability of this defence moderates the requirement that an EN be precise. Where the EN is as vague as paragraph 9 I have my doubts as to how much it can do so. It may be possible to assess due diligence for requirement 5 (encryption standard) where there are some definitive published guidelines but how do you test due diligence for a requirement which is not actually specified and has such a wide range of variables as set out in the Act.

The defence may actually make a non-specific EN practically worthless. Compliance could become a tick-box exercise in producing documentation and accepted risk assessments to set your own standards. Unless you set these at a level which no reasonable data controller could possibly accept the due diligence defence would always be available.

In summary paragraph 9 of the EN does not appear, as required by s40, to specify the steps required for compliance with principle 7. It simply appears to specify and repeat that the data controller must comply with principle 7 – which is already a legal duty.

Finally it is interesting to note and compare, given their current position, the undertaking that the Society signed in February 2010. It does contain some similarly vague terms e.g. “Physical security measures are adequate…” although the equivalent of paragraph 9 of the EN actually let them decide for itself what standard was adequate; “The data controller shall implement such other security measures as it deems appropriate… ”. There may equally be a lesson for anyone contemplating giving an undertaking – make sure there is no doubt what you need to do to comply with your own promises.

Posted in DPA | Leave a comment

Do Children Have Rights (Part 2)

How far can we rely on Information Commissioner’s Office (ICO) Guidance?

I recently commented on the issue of schools internally publicising the performance of pupils. But what about publishing to the world? The concerns expressed below may be more serious than those I referred to last time as they directly involve the guidance issued by the Information Commissioner’s Office (“ICO”).

It’s nearly exam season and the ICO was mindful last year (14th August) to publicise via its Twitter account guidance updated as recently as February 2014 on publishing results:

#DPA does not stop exam results being published in local paper, but objections must be considered…

The guidance which can be found from the above link, is quite clear in its conclusion:

The DPA does not stop the publishing of examination results by schools, e.g. in the local press. But schools have to act fairly when publishing results and must take seriously any concerns raised.”

As is apparent ICO takes the view that the issue is essentially one of fairness and the rest of the guidance deals with this issue, as well as dealing with objections, in some detail. In effect the guidance is that providing schools make every effort to tell parents and pupils that they intend to publish, and there is no valid objection, the school will not be in breach of the Data Protection Act by so publishing.

Since an individual’s results are clearly personal data, this is in accordance with the first data protection principle that “Personal data shall be processed fairly and lawfully…” For many this may seem quite in accord with common sense. I can (just) recall a time when I was taking school exams and it was quite routine for my local paper to publish the individual O’ and A’ Level Results for all pupils and schools in the city where I lived. No-one batted an eyelid in those more innocent days.

But hang on a moment. Principle 1 also requires that “… at least one of the conditions in Schedule 2 is met.” The ICO guidance makes no mention of this at all. It only deals with fairness. A quick consideration of the available conditions shows that only conditions 1 or 6 could possibly be available.

1. The data subject has given his consent to the processing.

6. The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

It is not obvious which condition ICO thinks applies in this case although it is likely that he is adopting condition 6 as the guidance does say that, “In general, schools do not need peoples’ consent to publish examination results”.

If he considers condition 1 applies he is falling into the fundamental error of confusing the giving of adequate privacy / fair processing notice with consent. But condition 1 surely does not apply here. Consent, as the ICO Guide to Data Protection tells us is “…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”. The guide goes on to warn that there must be some active communication of consent and this means that a school, however much notice it has given, cannot lawfully infer consent from a failure to respond or object.

If he considers condition 6 applies, it is strongly arguable that publishing fails to meet this condition on a number of grounds.

Where is the legitimate interest in the school publishing identifiable pupil information, as opposed to the alternative of publishing anonymous school performance results? Closely related one can ask, “Where is the necessity?” Case law clearly establishes that when considering “necessity” one must consider Article 8 Human Rights and that in doing so “necessity” requires that there be a pressing social need to infringe the individual’s basic right to privacy1. One can accept that there may be a pressing social need to have clear information about the overall performance of a school but that clearly does not extend to the individual’s data. In concentrating on fairness ICO appears to totally ignore the other requirements of condition 6.

Also in November 2012 ICO published an Anonymisation Code of Practice. This makes the succinct point: “However, where the use of personal data is not necessary, then the objective should generally be to use anonymised data instead.” The Guidance on exam results does not seem to accord with his own principle expressed here.

This may seem a complex analysis for processing which does not, it is conceded, seem particularly unfair. But there are two important points to note.

Firstly it is precisely these areas of the interface between fairness, anonymisation and consent which in practice cause the most difficulty for data protection officers and advisers. Whilst there is an element of risk management involved, such issues need to be solved by a rigorous analysis and application of the law. To omit or ignore such analysis when the opposite conclusion feels right is a recipe for potential disaster. In the present case it may not cause much damage. On another occasion and in different circumstances the same approach may leave a data controller open to enforcement, damages and fines.

Secondly, a hard pressed data controller needs to be able to rely on sound guidance from the ICO as regulator. If guidance is as incomplete in its analysis as this appears to be then a struggling data controller has a right to be a little aggrieved.

1In the case of Corporate Officer of the House of Commons v Information Commissioner [2008] EWHC 1084 (Admin), the High Court said at paragraph 43 that ‘necessary’ in Schedule 2 condition 6 meant that there must be a “pressing social need” for disclosure.

Posted in DPA | Leave a comment

Do schoolchildren have rights?

My eye was caught recently by this article on the BBC News channel. It seems some, no doubt well-meaning,* Head thought it a good idea to create what was in effect a league table of pupils’ ability by displaying their names and photos on a classroom wall along with how they ranked based on academic performance. It seems from the article that without doing this they felt they would be unable to provide individual support to allow pupils to improve. Who am I to argue with that?

Whilst it seems a large number of parents and pupils, possibly I suspect those in the relegation zones, thought this was inappropriate and possibly counter-productive no-one seems to have queried** whether the school had a right to do this. This intrigued me because it had parallels with a blog post I wrote a couple of years ago but seem to have forgotten to publish. More of that later.

Clearly the school is processing personal data. There is no suggestion that this has been done by consent of the pupils. I will skip over whether there is a breach of confidentiality involved as that is rather a difficult topic. But data protection law is rather easier.

Was what the school did fair? A significant number of those involved appear to think not, which is usually a good indicator. A pity perhaps that the school was not in Clapham (it’s in remotest Northumberland) then we could cross check to see how many of the objectors went to school by bus to clinch the question. If not fair Data Protection Principle 1 is breached.

What condition in Schedule 2 of the Data Protection Act can the school pray in aid of their actions in the absence of consent? I can ignore the unknown factor of any attempt to imply consent from the school’s prospectus or terms here as that would not be freely given informed consent. The only possibility is the well worn condition 6. Let us set it out – my emphasis:

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject. [note singular case]

The school clearly has a legitimate interest in raising standards. For argument’s sake let us give them the benefit of the doubt that they have sufficient evidence that “transparent communication” works to do that at a school level – although personally it seems a bit flaky and I would like to know more about how and when (timing seems to be relevant) it was done in those schools were it was said to have been a successful strategy.

What is far more doubtful is whether it is “necessary” to do this. The stated aim is to ensure pupils are “aware of their relative-ability levels prior to entering examinations”. If that is true I have little doubt it could be achieved in another way. The necessity test fails and this would be a data protection breach.

I strongly suspect however that the stated aim is a euphemism for the true aim which is hard to state in a PC world. I strongly suspect that children are pretty well aware of their relative standing (they certainly were in my class!). No the point here is that awareness is not enough. We need to name and shame and embarrass them into pulling their socks up. If that is the true aim perhaps necessity falls into place – although fairness still seems iffy. And if it works for Charles and Charlotte the means may be justified by the end and the processing is possibly not unwarranted. But will it work for everyone? Probably not and that causes a fundamental difficulty. Condition 6 (and probably many other parts of the law) requires the school to consider the position of each data subject affected. If this exercise has the opposite effect of demotivating or causing other difficulties for any pupils then, considering those pupils, surely the processing is unwarranted. Or perhaps we are in Spock’s realm of the needs of the many outweighing the needs of the one. I’m not convinced data protection is meant to work that way, particularly where children are concerned.

In summary I think that there is a strong argument that what this school did was in breach of principle 1 – unfair and no schedule 2 condition satisfied. Anyone care to tell the distressed kids, they may have a claim for damages?

My other post, which must await another day as I have gone on far too long, was about exam results.

*I can tell they were well-meaning because they us all the right words like “innovative strategies”, “group-learning classroom***” and “transparent communication****”.

** Apologies if this has been picked up on the DP twitter-sphere which I am currently gracing with my absence.

*** Better for kids than solitary-learning cells.

**** (running out of star space soon) Presumably they previously communicated in code without giving out the code-book.

Posted in DPA | Tagged , | Leave a comment

Volunteers and Data Protection

The Information Commissioner recently published a report  following a series of visits to Victims’ Services Alliance Organisations. These are typically charities but the report is also aimed at non-charitable volutary organisations.

One issue touched is the question of identifying who is a data controller and who is a data processor. ICO found that service agreements did not always refer to data protection, information security or any records management procedures. It was sometimes unclear, in terms of the DPA, who was the data controller or data processor and what would happen to the personal data they are holding should the relationship with the organisation break down, or the agreement be terminated. ICO recommended:

Organisations should refer to the ICO’s data controllers and data processors guidance which explains the difference between both categories and the implications for the organisations concerned. Once the relationship has been determined, this should be formally documented along with the relevant roles and responsibilities. Create a counsellor’s agreement which covers, as a minimum, the security provisions that are expected for any documents containing personal data about a client, and the response times that are expected to be met for any requests for information from management.

Unfortunately, as practitioners well know, deciding what is what in this area, is often very difficult, and involves interpreting the definitions of data controller and processor in section 1 of the DPA. This is likely to become an increasingly important issue as some public services are ‘contracted out’ to charities and other voluntary organisations.

The controller is the person who “who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;” and the processor is someone other than an employee of the data controller, who processes the data on behalf of the data controller”. To make matters worse, in some situations a person may be both controller and processor.

There are some clear pitfalls to avoid, and these will be considered in the light of a fairly typical situation of a Local Authority handing over the running of a local library to a voluntary community organisation. Under the 1964 Public Libraries and Museums Act, councils have a duty to provide a ‘comprehensive and efficient’ public library service. Running a library service inevitably involves handling personal data of customers. Whilst this may well not technically be ‘sensitive personal data’ it can have sensitive and confidential implications: type of book borrowed, websites visited on library computers etc.

As this is a statutory function, the Council is often likely to remain data controller in relation to the customer data. It remains the Council’s purpose, and in most cases it will still be run to Council processes. The voluntary organisation (“VO”) would then be a data processor, with all the implications for the Council & VO under principle 7 including:

  • appropriate contractual terms dealing with DP responsibilities
  • due diligence by Council in appointing and monitoring the running of the service
  • VO responsible for taking appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to the personal data including vetting and training ‘staff’ – although the agreement could of course pass this back to the Council in reality

In such an arrangement, where the VO is purely a data processor, it is probably not necessary (at least in DP compliance terms) that the Council obtains customer consent for the new arrangement, although the requirement of fairness (and political reality) suggests that they should be told.

However it is possible to imagine other ways of farming out this service where the VO actually has some leeway to provide new and innovative services outside the core duties imposed on the Council, which it would determine and manage for itself. In such a case the VO could become a data controller in relation to using personal data for these purposes. In this case there would almost certainly need to be a renewal of customer consent which would have to be managed carefully before the VO could use the personal data.

Great care must also be taken over the status of the ‘staff’ themselves. There is a difference, not often recognised, between pure volunteers, and ‘voluntary workers’. Because of the definition in DPA. a pure volunteer, i.e. someone who does not have any form of contract of employment or contract to perform work or provide services and is under no obligation to perform work or carry out instructions and can come and go as they please with no expectation of any reward, would have to be regarded as a data processor in his or her own right, as they would not be an ’employee’ of the VO. It would be almost impossible for either Council or VO to comply with its data protection obligations if such a volunteer had access to personal data.

The VO should therefore employ “voluntary workers” with a formal contract within the meaning of s44 of the National Minimum Wage Act. This would be sufficient to make them an ’employee’ in the terms of the DPA definition, and the contracts should have appropriate confidentiality clauses. The VO would then take vicarious liability for the acts of the volunteers.

Posted in DPA, FOI | Leave a comment

Don’t Expect ICO to argue your case

When applying to the Information Commissioner under s50 FOIA to overturn a refusal by a public authority it is important to marshal all your arguments and understand what is available to you.

This was illustrated in a decision in September , case number FS50546586 where the requester sought information from the Ministry of Justice relating to the Court Proceedings Database including the names of offenders found guilty of offences under the Housing Act 2004 held on that database. Disclosure was refused by the MoJ on the basis of the personal data exemption.

Not surprisingly ICO overturned this in relation to those convicted who were companies, as it was not personal data, and the applicant was quite pleased with his partial victory. See

But what of the guilty who were private individuals. ICO correctly found that in their case the information requested was sensitive personal data. Such data cannot be released if to do so would breach the data protection principles and here we are concerned with Principle 1 : “Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless— (a) at least one of the conditions in Schedule 2 is met, and (b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

The ICO carefully considered fairness in relation to the individuals and concluded that disclosure would indeed be fair. He then looked for a Schedule 3 condition and considered the only possible candidates : 1. explicit consent and 5. information  made public as a result of steps deliberately taken by the data subject. He was satisfied that neither of these applied and that was the end of the matter.

The Commissioner must uphold the MoJ’s application of the exemption at section 40(2) in respect of the sensitive personal data in this case. He does so not on the basis that disclosure would be unfair but on the basis that there is no applicable Schedule 3 condition. The personal data is therefore exempt from disclosure.

But surely he should have considered Para 3 of the Schedule to The Data Protection (Processing of Sensitive Personal data) Order 2000, of which I suspect the applicant was blissfully unaware.

The disclosure of personal data— (a)is in the substantial public interest; (b)is in connection with— (i)the commission by any person of any unlawful act … (c)is for the special purposes as defined in section 3 of the Act (i.e. journalism) ; and (d)is made with a view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest.

Given the basis of ICO’s decision on fairness it must have been very strongly arguable that this could properly be applied – applicant was a journalist after all. This has been used successfully in the past see e.g. discussion of the Nick Griffin case on the excellent Panopticon blog

And if a Schedule 3 condition ( in the extended sense) could be found it is not hard to find a suitable condition in Schedule 2

Posted in FOI | Leave a comment

Does Alan Duncan MP read his printed emails?

One must assume that Alan Duncan does read his emails but we have recently learned that he does tend to print them out. This possibly reprehensible exercise has led Mr. Duncan to introduce a Private Member’s Bill to outlaw the inclusion of “useless” legal disclaimers at the bottom of emails:

His beef is that when you print out such an emails you eventually waste several forests worth of paper “as page after page spews out”.

Mr Duncan actually makes a valid point about the limited contractual or legal validity of such disclaimers. However they can serve a useful purpose in advising unintended recipients what they should do, as good and responsible citizens, if they receive something which was not for them, and in a worst case scenario might protect them from doing something they later regret. Not as much as the sender will regret it, of course, as anything truly confidential or sensitive should have been encrypted and not accessible to a wrong recipient. Indeed the presence of such a disclaimer may be leading some senders into a false sense of security, and blinding them from the need to take other precautions.

However it was the printing issue, not the security issue which really upset Mr. Duncan. That small bubble of the Twittersphere which concerns itself with Information Governance matters has had a quiet titter about this. Any self-respecting Records Manager has been advising for many years that emails are (by and large) not for printing, and should be retained, if necessary, in the electronic world, preferably as part of a properly designed records management system, rather than in an ever-bloating Inbox. I do hope Mr Duncan’s departmental information team knows about these printed copies.

But has Mr Duncan actually read these exponentiating (actually an arithmetic-progression but lets ignore the maths) pages. Whilst I have seen some wordy disclaimers, I do not recall any which would merit the description “page after page”. No. I fear what Mr Duncan is actually experiencing is the endless repetition of material in a lengthy email conversation. With many users including senders text by default (bad idea in my view) when replying to an email, the last email in a 20 email exchange will include all 20 emails, and yes, if the actual exchanges are short, most of that when printed will consist of headers, footers, and disclaimers.

In short Mr Duncan has focussed on the wrong problems. Why print ? Why include prior text?

One solution Mr Duncan proposes is probably not a sensible idea. He suggests that the disclaimer should be a simple link. However if we accept that the real purpose is as a warning rather than attempting to create a legal obligation, this may un-necessarily dilute the warning effect. The better solution would be a short bold warning / disclaimer plus a ‘further-information’ link to more detail on a website – or not to send sensitive stuff by an open channel.

Of course there could be a relatively simple technological fix to this printing problem, for those cases where printing emails could be justified. All that would be required would be an amendment to the relevant standards such as SMPT to require a code to be embedded in an email at the start of any ‘prior text’, and for printer manufacturers to provide a default setting of ‘print nothing after this point’. I fear we are 20 years too late for that.

Posted in FOI | Leave a comment

Defamation, Data Protection and Journalism

It has for some time been recognised that, with changes to the law of defamation, there might be increasing use of an alternative cause of action under section 13 of the Data Protection Act 1998 (“DPA”). This is not perhaps surprising, as defamation necessarily involves the use of personal data (often sensitive) and data protection law, subject to some important exceptions, prevents any use of personal data which is unfair or inaccurate. For a lawyers perspective on these issues see this article on the highly-recommended Panopticon Information Law blog: .

That is not to say however that aggrieved plaintiffs will be likely to obtain a damages bonanza of the type which has been awarded in some historical defamation cases. In the view of the Court of Appeal in Halliday v Creation Consumer Finance Ltd: “… it is not the intention of the legislation to produce some kind of substantial award. It is intended to be compensation..” ([2013] EWCA Civ 333, at paragraph 36). In that case damages of only £1 were awarded under s13(1) DPA and an additional £750 for distress under s13(2). In another recent case CR v Chief Constable PSNI ([2014] NICA 54, at paragraph 24) the total awarded under DPA was simply £1. Similarly where there is a successful claim for breach of confidence, it is unlikely that anything additional will be awarded for the breach of DPA, which will usually be established,  as a breach of confidence makes the use of personal data unlawful and therefore a breach of the first data protection principle. For example in Weller and others v Associated Newspapers Ltd ([2014] EWHC 1163 QB at paragraph 23) the court considered that the claim under DPA “did not add anything of significance to the primary claims for damages”.

The situation becomes even more complicated where the alleged defamation is published in the course of “journalism”. Then the exemption under s32 DPA may well come into play. In essence processing personal data for the purposes of journalism may be exempted from key provisions of the DPA if in the reasonable opinion of the data controller compliance with a particular provision would be incompatible with the journalistic purpose. This is potentially a very wide exemption. In theory it could even justify publishing unfair and inaccurate data by dis-applying the first and fourth data protection principles, although it is hard to imagine forming a reasonable opinion to that effect.

This exemption was discussed in a recent PressGazette article: “Victims of media abuse may turn to the Data Protection Act now that it is harder to bring libel actions” ( ). That article however rather oversimplifies the effect of the s32 exemption and is in fact inaccurate in suggesting that the PSNI case referred to above resulted in an award of £20000 under DPA. That sum was awarded for negligence in relation to Post Traumatic Stress Disorder. The DPA award was a miserly £1.

The article suggests that the s32 exemption does not apply to a claim for compensation under s13 DPA. That is not strictly correct. Although s32 does not specifically mention s13, a s13 claim will usually be based on a breach of s4(4) of the Act i.e. a breach of one or more of the data protection principles, and s32(2) allows a defence in such a case, unless the principle breached is only s7. This would not usually the case as a plaintiff would typically be alleging against a publisher breaches of the first (unfair or unlawful for breach of confidence), third (irrelevant or excessive) and fourth (inaccurate) principles.

In summary, whilst disgruntled plaintiffs may be pleased to have a DPA claim in their armoury, it is not going to be a panacea for a multitude of new substantial claims. Firstly damages will often be quite limited, and may not add to other causes of action such as breach of confidence, and in many cases the s32 exemption may well bite. In that context it should be noted that the availability of this defence may not be limited to ‘traditional’ journalistic sources – see. e.g. “Are we all journalists” . But that is another story.

Posted in DPA | Leave a comment