The curious case of charging for environmental information

In the ICO’s guidance, http://tinyurl.com/pevwe2g , on “Charging for Environmental Information (Reg8) updated (version 1.3) in June 2014 he concedes, based on East Sussex County Council v Information Commissioner and Property Search Group (EA/2013/0037), http://tinyurl.com/k99up27 , – see paragraph 17 – that a reasonable charge for supplying environmental information CAN include “The cost of staff time spent locating, retrieving and extracting the information” – Paragraph 14.

What then are we to make of his Guide to the Environmental Information Regulations, http://tinyurl.com/l8kn7e9 , updated (version 2.2) five months later in November 2014 which states at Page 32 : “ Any charge should be ‘reasonable’ … It should NOT include the cost of staff time in identifying, locating or retrieving the information from storage. ”

Curiously,ICO seems to be saying you can do this, but I would prefer if you didn’t.

Even curiouser, in the June guidance ICO says he had had a change of heart on this issue and did not think the previous law on the point derived from Kirklees Council v Information Commissioner and PALI Ltd [2011] UKUT 104, http://tinyurl.com/lzc5aco , was “now sustainable”, which is rather an odd proposition given that this was an Upper Tribunal case and, as we know, the Upper Tribunal is a Superior Court of Record, which means that its decisions create legally binding precedent – similar to the High Court. So ICO has, it seems, overruled legal precedent by making a concession in a lower court case.

Curiousest of all, I am not actually convinced the Kirklees case decided any such thing, being based on arcane questions relating to charging for information in the public Land Charges register – so perhaps that puts us back to square one. If nothing else ICO needs to sort out his guidance, otherwise he may face a rash of disgruntled appellants from both sides of the battlefield who have followed the wrong advice – whichever that is.

Posted in EIR, FOI | Leave a comment

Images as Personal data

One of the less obvious consequences of the Ryneš decision which I discussed in a recent post is what it says about the nature of images. At paragraphs 21-22 of the judgement:

The term ‘personal data’ …  covers, according to the definition under Article 2(a) of Directive 95/46, ‘any information relating to an identified or identifiable natural person’, an identifiable person being ‘one who can be identified, directly or indirectly, in particular by reference … to one or more factors specific to his physical … identity’. Accordingly, the image of a person recorded by a camera constitutes personal data within the meaning of Article 2(a) of Directive 95/46 inasmuch as it makes it possible to identify the person concerned.

Clearly and unequivocally the court considers an identifiable image is personal data.  No discussion of the purpose of processing or the potential impact on the subject. No consideration as to whether the person taking or holding the image  is using it to learn something about the individual.

Experienced data protection professionals will no doubt be familiar with the ICO guidance on determining “what is personal data” : see http://tinyurl.com/ljy2c96

The discussion by and conclusions of the ICO on pages 15-16 of this guidance, about the same photographs being personal data in the hands of one person, but not in the hands of another, based on purpose and impact  are clearly, following  Ryneš, now unsupportable*. Just as it is now pretty clear that (given context sufficient to identify) a name is personal data (Edem v ICO & FSA [2014] EWCA Civ 92),  so now a photograph, of sufficient quality to identify IS personal data. Of course the taking, holding and use of photographs may be permitted or exempt from restrictions for many reasons but it must now be regarded as personal data even in those cases where the ICO guidance says it is not.

* To be fair if you follow the logic of the guidance the ICO conclusions in the examples were always a bit suspect. They come under Q5: – “Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual? “. In those example photograph cases where the ICO considered the answer to this question was no, the logic of the guidance was that you then ask questions 6, 7 and 8 and a yes answer to any of those, which is likely in the case of photographs (I do not intend here to discuss Durant v FSA) always indicated “personal data” in contradiction of the purpose based  conclusion under Q5.

 

Posted in DPA | Leave a comment

Video Surveillance and the domestic purposes exemption

The recent EU case of Ryneš (http://tinyurl.com/mhs6btl ) raises some interesting issues for users of CCTV systems on domestic premises.

The decision of the court is quite clear. If the CCTV is set up so as to also record people in public spaces, e.g. the adjoining street or footpath then the exemption does not apply. See paragraph 33 of the judgement (my emphasis):

To the extent that video surveillance … covers, even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity for the purposes of the second indent of Article 3(2) of Directive 95/46.

Consequences include, under the current Data Protection Act 1998 and associated regulations:

  • The operator needs to register as a data controller since, without the s36 exemption from Part III of the Act, no other exemption from notification seems to apply
  • Running the system without such notification is a criminal offence (ss 17 and 21 of the Act
  • The system would probably be unlawful (principle 1 fairness) unless the operator could reasonably show that he could not record on-premises without inevitably covering some public space
  • The operator must respond to subject access requests from anyone who may have been recorded in the public space, and may need to be able to remove third party images if supplying a copy of the data
  • The operator needs to have similar regard to the need for clear and visible signage as would apply to other CCTV surveillance
  • If the operator takes a risk, perhaps rightly surmising that the ICO is unlikely to proactively enforce the strict legal position, and does not register he must respond to any request for information about the system within 21 days under s24. Failure to so respond is a criminal offence.

The judgement itself says very little about the rationale. In addition to paragraph 33 it adds at 35:

Article 3(2) of Directive 95/46 must be interpreted as meaning that the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision.

The combination of these provisions as set out in the judgement, without explanation, would seem to lead to the logical conclusion that activities such as: recording video on a mobile phone; cyclists using a helmet camera; or using a car dash camera would be equally outside the s36 exemption. These activities meet the criteria in paragraphs 33-35 of the judgement. That is however probably not the intention of the court. We need to look at the advocate general’s opinion (http://tinyurl.com/kmmul4f ) to see that domestic CCTV is in effect a special case which can be distinguished from these other activities. See paragraph 33:

recordings of this kind taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.

It is of course much more difficult, and therefore has much less impact on privacy, to draw such conclusions from non-static recording. It is probably safe to assume for now at least, that this decision only applies to the specific case of a home CCTV. Indeed the advocate general effectively says as much at paragraph 30

the present question … relates to a type of fixed surveillance system which covers a public space as well as the door of the house opposite, thereby enabling the identification of countless individuals without them having been informed of such surveillance beforehand. By contrast, the legal questions associated with recordings made using mobile phones, camcorders or digital cameras are of a different nature, and so will not be addressed in this Opinion.

It will be interesting to see over the coming months whether and to what extent ICO amends his guidance on these issues. One possibility might be a specific exemption from notification for domestic CCTV, but it is at least doubtful whether that could be achieved. S17(3) limits exemption to cases where processing is “unlikely to prejudice the rights and freedoms of data subjects” and such a conclusion would seem to fly in the face of the judgement which is strongly based on the need to protect the “fundamental rights and freedoms of natural persons, in particular their right to privacy” – see paragraph 27.

See also the discussion here: http://tinyurl.com/pf4338c

Continue reading

Posted in DPA | Leave a comment

The Local Safeguarding Children Board as Data Controller

What is a Local Safeguarding Children Board (LSCB)? It is a statutory body which local authorities responsible for children’s social services are required to set up under s13 Children Act 2004.

  • Each local authority in England must establish a Local Safeguarding Children Board for their area

The responsibilities of the LSCB are essentially set out in the Act and in The Local Safeguarding Children Boards Regulations 2006. These include:

  • developing policies and procedures for safeguarding and promoting the welfare of children
  • communicating the need to safeguard and promote the welfare of children, monitoring and evaluating the effectiveness of what is done by the authority and their Board partners
  • participating in the planning of services for children in the area of the authority;
  • undertaking reviews of serious cases

Participants in an LSCB are referred to in the legislation as Board partners. Apart from the functions, and reference to statutory guidance, the Act and Regulations are largely silent as to an LSCB’s powers. There is for example no granting of powers to employ persons or hold property. Consideration of s15 of the Act suggests that in effect staff, goods, services, accommodation and other resources will be provided by Board partners. LSCBs are required to have lay members – each LSCB must have at least two individual lay members who reside in the area – and it is notable that s13(5B) of the Act gives the authority, but not the LSCB, power to pay the lay members.

There are potentially up to 150 LSCBs in England. The actual number is somewhat less as authorities are able to share functions and create a joint LSCB for more than one Council area.

A perennial problem for those managing data protection issues in local authorities is whether the LSCB is required to register as a data controller with the Information Commissioner’s Office under s18 of the Data Protection Act 1998 (DPA), or whether they can simply rely on the registrations of their constituent ‘partners’ such as the local authority, health board or police.

This is not just a trivial issue as, if registration is required, failure to do so makes it likely that any processing of personal data by the body is a criminal offence – combined effect of DPA sections 17 and 21. This offence may be committed not only by the LSCB but criminal liability would potentially also attach to individual Board members, including lay members.

So what is the legal status of the LSCB? It is not an incorporated company. Despite the reference to ‘Board partners’ it is not in fact a partnership in the full legal sense as that would require a business being carried out with a view to profit. It is simply an unincorporated association. Nothing in the setting up of LSCBs referred to above requires it to be anything more. It does not need to own property, employ staff, or initiate legal actions.

It is often suggested that an unincorporated association is not a legal entity (See e.g. HMRC at http://tinyurl.com/ykt7l3w ) and that it cannot:

  • enter into contracts;
  • sue or be sued;
  • take on a lease or own property; or
  • employ staff

The first two points above are important as data controllers may need to enter into data processing agreements (contract) and may need to be sued e.g. for damages under s13 DPA. Unfortunately it is not that simple. As long ago as 1901 it was decided that some unincorporated associations can indeed be sued (and by implication can sue).

If the Legislature has created a thing which can own property, which can employ servants, and which can inflict injury, it must be taken, I think, to have impliedly given the power to make it suable in a Court of Law for injuries purposely done by its authority and procurement. (The Taff Vale Railway Co – v – The Amalgamated Society of Railway Servants [1901] UKHL 1)

In addition an unincorporated association can be prosecuted. That may not always have been the case but is now clear law (See e.g. HSE prosecution guidance http://tinyurl.com/m26v78q and R v RL and JF [2008] EWCA Crim 1970).

By analogy one must therefore consider whether the DPA creates a thing (the data controller) which has the required responsibilities and powers to give it sufficient legal status to enable it to register as a data controller, even if it is an unincorporated association.

S1(1) DPA tells us:

data controller” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;

‘Person’ is not defined in the DPA. The starting point is thus the definition in the Interpretation Act 1978, Schedule 1: “Person” includes a body of persons corporate or unincorporate. This definition is subject to the limitation in s5 of the Interpretation Act: In any Act, unless the contrary intention appears, words and expressions listed in Schedule 1 to this Act are to be construed according to that Schedule.

There does not appear to be any contrary intention in the DPA. In fact s65(1)(b) recognises that for the Information Commissioner’s purpose of serving notices person includes a ‘body corporate or unincorporate’. Most, but not all, such notices are required by the Act to be served on the data controller. The Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council) definition of data controller also anticipates that an unincorporated body may be data controller as it refers to “the natural or legal person, public authority, agency or any other body” – Article 2(d). An LSCB is accordingly a person for the purpose of the definition of a data controller. But does it determine the purpose and manner of processing personal data?

The purposes of an LSCB are of course not self-determined. They are laid down by statute. However s1(4) DPA is clear:

Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller.

Whilst some of the statutory purposes may be fulfilled without processing identifiable personal data, it is clear that others cannot – e.g. conducting a serious case review would be, in practice, impossible without reference to information which would remove any likelihood of anonymity.  It is also clear from a consideration of the LSCB functions (above) that it is, at least jointly, responsible for determining the manner of processing.

The courts have clearly recognised the status of a safeguarding board : see [2013] EWHC 1711 (QB) where the Worcestershire SCB was a party to a Public Interest Immunity action. http://bit.ly/1GGqBKr

An LSCB accordingly fulfils all of the requirements of the definition of a data controller and its unincorporated status can be no bar to the consequences of that. It seems therefore that LSCBs should notify the Information Commissioner and register as data controllers in their own right. This will have some significant consequences.

  • Many data controllers use data processors, and this would inevitably be the case for an LSCB. Typically for example the LSCB will use local authority IT and email systems. The seventh data protection principle requires a contract in writing to underpin the data processing agreement between the LSCB and the authority. Despite the ‘normal’ common law rule against contracts by an unincorporated association the legislative intention will have precedence.
  • S13 DPA entitles a data subject to sue a data controller in certain circumstances. It specifically refers to “proceedings against a person”. Given the legislative intention, that ‘person’ must include an unincorporated data controller (principle derived from The Taff Vale Railway Co – v – The Amalgamated Society of Railway Servants). LSCB Board members will have joint and several liability for any damages and they should be aware of this. In particular lay members might reasonably be given an indemnity on appointment.
  • Similarly there would be joint and several liability of LSCB Board members for any penalties imposed under s55A DPA.
  • DPA provides that the data controller is subject to a number of criminal sanctions. As we have seen the LSCB can be prosecuted. For example assume for a moment that Anyplace LSCB is a data controller but fails to notify the Information Commissioner under the registration process. As soon as it processes any personal data an offence is committed under s21 DPA. The LSCB may be prosecuted. Each Board member may be prosecuted. Whilst it is perhaps inconceivable that the ICO / Director of Public Prosecutions would prosecute a lay member of the Board, they should at least be advised of the potential liability as part of the appointment process, so that they can actively ensure compliance.

On the other hand an LSCB is not, as such, a designated public authority for the purpose of Freedom of Information requests. There is no specific designation in the Freedom of Information Act (FOIA) or subsequent statutory instruments and an LSCB could not fall within the category of a company “wholly owned by the wider public sector” as (a) it has lay members and (b) it is not a “body corporate” as required by FOIA s6(3)(3).

In practice it seems only a minority of LSCB’s have registered as a data controller. A search of the register in December 2014 using the term “Safeguarding” produced only 16 matches. Whether or not the LSCB or sponsoring council agrees with the conclusion above, it should certainly make a clear decision for itself as the requirements of data processing, and the drafting and implementation of data sharing protocols, cannot sensibly be addressed unless the roles and responsibilities of each party are clear.

Posted in DPA | Leave a comment

A consistent line

The Information Commissioner’s Office (ICO) has today published its draft Code of Practice on Subject Access Requests  (SAR) for consultation.

There is nothing in the draft code which will cause major surprise. It is largely a rehashing, and minor expansion of material which already exists in his general data protection guidance, and specialist guidance on matters such as accessing information in complaints files, or dealing with requests involving other people’s information.

On first consideration the following matters appear to stand out.

1. A lack of recognition that for public authorities any SAR falls within s1 Freedom of Information Act 2000 (FOIA) so that e.g. the duty to advise and assist applies.

This occasionally leads to a lapse in distinguishing good from mandatory practice. For example on page 10 the draft code suggests that you do not need to respond to a request which is not in writing. For a public authority ignoring the verbal request would be a failure to provide advice and assistance to a persons who propose to make a request for information. Similarly page 41 refers to good practice in providing explanations which should be mandatory for a local authority.

2. In dealing with exemptions the draft code really does not get to grips with the problem, which many find difficult, of dealing with an SAR on those occasions when you simply cannot tell the requester at all about some personal data’s existence or  processing, e.g. if there is a note in your file of a police enquiry where, particularly if they have used the ACPO form, the police will have requested non-disclosure. The draft code (top of page 46) refers correctly to denying subject access, but gives no assistance on the right way to do this, and lacks the necessary warning about not giving a misleading answer such as “We enclose all the personal data which we hold…” .  I would also have expected here a discussion (for public authorities at least) of when and why there may be a need to use s4o(5)(b)(ii) FOIA in such cases.

3. Finally, and again not surprisingly, the ICO continues his warning about misreading the decision in Ezsias v Welsh Commissioners [2007] All ER (D) 65 (Dec) which appears in the existing Disproportionate Effort guidance.

In doing so he ignores subsequent cases which have strongly indicated that this guidance is wrong. See Elliot v Lloyds TSB Bank PLC & Anor [2012] EW Misc 7 (CC)  discussed on the excellent Panopticon blog . See also there Karim Abadir v Imperial College

Whilst ICO is entitled to take his own view in these areas it is hardly satisfactory to have a situation where there are two routes to enforce an SAR: through the courts under s7(9) Data Protecton Act 1998 (DPA) or via the ICO using the s42 DPA assessment process.

In both the guidance and draft code (see page 24)  ICO stresses that Ezsias is not authority for suggesting that a disproportionate effort test applies to finding the information required to respond to an SAR.  However ICO wishes to parse it that is hard to reconcile with paragraph 93 of the judgement in Ezsias, which simply states “Under the 1998 Act, upon receipt of a request for data, a data controller must take reasonable and pro-portionate steps to identify and disclose the data he is bound to disclose.” Those reasonable and pro-portionate steps may well in many (or most) cases need to be extensive, but there should be no need to restrict the basic test laid down by the courts.

The ICO is also apparently on a collision course with the courts over the effect of the same authorities on the ability to refuse to deal with an SAR as constituting an abuse. See draft code page 49-50. This arises from the same line of cases mentioned above. The ICO seems to be saying that the courts may decline to exercise their discretion under s7(9) to enforce but in identical circumstances he would exercise his discretion to enforce under s42. The underlying problem appears to be the well known  ICO dislike of the Durant decision and its clear statement that the purpose of an SAR is  “… to check whether the data controller’s processing of the data unlawfully infringes his privacy … to take such steps as the Act provides … to protect it … [it is] not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved … not to obtain discovery of documents that may assist in litigation or complaints”.

So the courts are not so much exercising a discretion but taking the view that complaint is mis-founded as the purpose has nothing to do with privacy. I have little doubt however that ICO will continue this approach which is unlikely to be resolved, this side of the new directive, unless someone challenges an enforcement notice after taking the Durant / Ezsias approach.

 

Posted in FOI | Leave a comment

E-Crime Wales

E-Crime Wales provides a useful set of resources including a free to download  “Preventing E-Crime for dummies” which in around 112 pages covers a number of topics such as :

  • Defending your IT Network
  • A Dozen Best Security Practices
  • Ten Tips to Prevent Data Loss Today

Loads of fact-sheets too including gems such as :

  • Security Auditing Planning and Review
  • Cloud Computing Security Considerations
  • Managing Risks of Employee Behaviour

Being supported by the Welsh Assembly Government some sections, not surprisingly, have a Welsh flavour, but for the most part the advice and resources are of general application.

Posted in DPA, Information Security | Leave a comment

ANPR

In a recent Information Tribunal decision, Mathieson v Information Commissioner and Chief Constable of Devon & Cornwall, the First Tier Tribunal upheld an Information Commissioner decision and declined to order disclosure of the locations of ANPR (Automatic Number Plate Recognition) cameras. The Tribunal was satisfied that s24 FOIA (purposes of national security) and all limbs of s31(1) (prejudice to detection of crime etc.) were all engaged and determined the public interest against disclosure.

However what is missing from the judgement and earlier decision notice is any consideration of the duty to advise and assist, in particular consideration of whether a more limited disclosure e.g. location by postcode district rather than precise location might have been possible without engaging the exemptions, or with a different public interest conclusion. This is no doubt technically correct, as where the terms of a request are clear, as this was, the s45 FOIA Code of Practice does not require any assistance be provided to the applicant, and accordingly there can be no breach of s16. This illustrates a regrettable limitation of the s45 Code. By contrast, if the request had fallen to be considered under EIR,  the equivalent code under Regulation 9, there may well have been a breach as that code requires an authority to “be flexible in offering advice and assistance most appropriate to the circumstances of the applicant” and that can include advice on a more limited disclosure if the actual information requested is exempt. The aim is to help applicants make good use of the Regulations, not as in FOI to ensure accurate but unhelpful refusals.

It was also an interesting example of an FOI refusal being upheld when it was, for the most part accepted that the information was effectively in the public domain, because the cameras were not covert, and the locations could be tracked down easily if sufficient resources were devoted to the exercise.

I wonder if the cameras are sufficiently distinctive to enable a smart programmer to search for them by interrogating google streetview …

Posted in FOI | Comments Off on ANPR