Contents Page - Act No · Regulations 2000 Statutory Instrument ... Children Act 2004 s10, 11, 12...

BCS CERTIFICATE IN DATA PROTECTION

© Act Now Training Ltd

Contents Page

1. Slides

2. Collie Case

3. FOI personal data decisions

4. New Regulation & Directive

PLEASE NOTE Data Protection and related legislation is a very complex subject. The contents of this seminar and documentation are meant for you to consider on the basis of general discussion. It is not advice or opinion (legal or otherwise). You should obtain expert legal advice on your specific issues from a qualified solicitor. Any liability (in negligence or otherwise) arising from you acting or refraining to act as a result of anything in this seminar or documentation is excluded. COPYRIGHT NOTICE Please note that a lot of time and effort goes into the preparation of these course materials. We own the copyright in the articles and the slides. We ask that you do not copy them or reproduce them in any way without our express written permission.


www.actnow.org.uk

BCS DP Day 5

www.actnow.org.uk

Running order •  Review of Day 4 Homework •  Links with other legislation •  Sharing & Matching, ICO Code •  Sector based issues •  1445 Exam prep & BCS Sample paper •  1630 Close

Freedom of Information


Use of exemptions by government

0

1000

2000

3000

4000

5000

6000

s.21 s.22 s.30 s.31 s.35 s.36 s.40 s.41 s.43 s.44 EIR

Used in 2014

Used in 2014

s.40 personal data exemption

by far most commonly used

exemption

Personal information – s.40: terminology “personal data” “data subject”

“data protection principles” All taken from

What is personal data?

Data relating to living, identifiable individuals all data on automated systems most paper-based information


Personal information – s.40

(1) Any information…is exempt…if it constitutes personal data of which the

applicant is the data subject.

“I would like to see all correspondence about my recent request for promotion.”!

Third parties’ personal data – reasons for non-disclosure: s.40(2-4)

1. Disclosure would breach data protection principles

•  normally first DP principle 2. Someone has exercised their right under s.10 of DPA (processing causing damage or distress) 3. Information would be exempt from disclosure under DPA (subject access)

How to decide whether s.40 applies

Personal data? Sensitive

personal data (DPA s.2)?

Condition in DPA schedule 2 met?

Condition in schedule 3 met if sensitive data?

Otherwise fair & lawful?

Based on Egan v IC & West Midlands Police EA/2014/0297


Legitimate interest condition

Will disclosure cause unwarranted prejudice to rights (including HRA Art 8), freedoms or

legitimate interest of individual(s)?

Is disclosure necessary to meet that interest?

Is PA or requester pursuing legitimate interest?

Based on Goldsmith International Business School v IC & Home Office UKUT 563 (AAC)

Legitimate interest: a public interest

Corporate Officer of the House of Commons v IC & Leapman, Brooke & Thomas, EA/2007/0060-63, 122, 123 and 131 Should details of MPs’ expenses be disclosed?

Legitimate interest: a private interest

James Henderson v Information Commissioner EA/2013/0055 Interference “necessary” to protect Mr Henderson’s interests


Official Guidance

Normally disclose “names of officials, their grades, job functions or decisions which they have made in their official capacities”

ICO guidance

Official Guidance

“information about someone acting in an official or work capacity should normally be provided on request unless… some risk to the individual”

ICO guidance

Personal Info: Questions to Ask

Look at role, capacity & seniority of the subject

Is it about their public life or their private life?

In what circumstances was the data gathered?

Was the subject told of potential disclosures?

What is their reasonable expectation as to the way their information is going to be treated?

What harm would disclosure cause?


A few decisions to remember

Is pay protected by s.40?

•  Information Commissioner suggests that salaries should be provided to nearest £5K

•  In Dicker v IC (EA/2012/0250), the FTT ruled that the exact salary of the Chief Executive should be disclosed

•  Specific circumstances, but will we see a move towards more salary transparency?

Pay of senior officers

•  Corby Council 2005 •  “the total amount of money paid to former

temporary finance officer Gary Moss”. •  Council refused claiming section 40 (2) •  ICO satisfied that there is a legitimate

interest in telling the public of the amount of money spent employing senior staff.

•  Disclosure would not be unfair or unlawful.


CVs and biographies

•  ICO states that disclosure of CVs and biogs may often be fair because they are designed to present individual in a positive light

•  Ultimately, disclosure depends on seniority

Senior Officer Training

•  Gwent Police: 29/03/2011

•  Names and roles of any chief officers (both warranted and civilian staff) who have received either coaching or mentoring

•  ICO finds no prejudice to individual and states that there is legitimate interest

20

Names of employees

•  Request for names of FCA employees •  FCA refused under s.40(2) •  ICO upheld •  FTT ruled not personal data applying

Durant test •  UT overturned FTT decision •  Court of Appeal upheld UT


Edem v IC & Financial Conduct Authority

“…a name is personal data unless it is so common that without further information, such as its use in a work context, a person would remain unidentifiable despite its disclosure.” [2014] EWCA Civ 92

•  Court of Appeal said Durant test only

applies in borderline cases

Number of individuals

•  Calderdale PCT

•  Questions asked about trans-sexuals;

•  Answers are less than five

•  Personal data is very sensitive and disclosure would constitute a significant intrusion to the individual’s right to privacy

•  ICO finds that risk of identification outweighs need to know

23

Section 10 Notice

“An individual can serve a section 10 (DPA) notice on a data controller if the processing would cause substantial, unwarranted damage or distress”


Section 10 Notice

Decision 054/2005 – Paul Hutcheon, The Sunday Herald & Chief Constable of Central Scotland Police- Request for the names of police officers who have had race-related complaints made against them, information withheld under section 38(1)(b) of the Freedom of Information (Scotland) Act 2002. Decision upheld.

Refusal notices

If refusing to disclose personal data, a refusal notice must be issued to the requester.

This must explain why the exemption applies and provide details of how the requester can appeal the decision.

And don’t forget…

Part VII of the Freedom of Information Act – ss.68-73 – amend

the Data Protection Act

s.68 creates category (e) data


Dead People: Questions to Ask Is the requestor the deceased’s personal

representative?

Is the information sensitive/confidential?

Would disclosure be a Breach of

Confidence?

Have you consulted the deceased’s

family?

Did the deceased express their wishes

before death?

www.actnow.org.uk

Other legislation

Crime and Disorder Act 1998

• An Act to make provision for preventing crime and disorder

• Created ASBO’s • Section 115 allowed passing of data to

Police, Probation, Health, Council • Since added to by various acts • Created Community Safety Partnerships


Computer Misuse Act 1990

Unauthorised access to computer material

Unauthorised access with intent to commit or facilitate commission of further offences

Unauthorised modification of Computer material

Anti-Terrorism Crime & Security Act 2001

The Bill clarifies and extends a number of existing gateways for disclosure of information from public authorities to agencies involved in criminal investigations and proceedings. The gateways will ensure that public authorities can disclose certain types of otherwise confidential information where this is necessary for the purposes of fighting terrorism and other crimes.

Regulation of Investigatory Powers

•  RIPA or RIPSA •  Covert Operations which are deemed lawful if properly authorised to uncover crime. •  An independent inspection is carried out by Surveillance Commissioner. •  Anyone can complain to an Investigatory Powers Tribunal set up under RIPA.


Who uses RIPA?

•  Trading Standards

•  Environmental Health •  Licensing

•  Human Resources


Act Now Training

Poole Decision

•  Investigating a potentially fraudulent school application was not a proper purpose in the sense required by RIPA

•  Council’s actions were disproportionate •  Council’s actions had breached the family’s

rights under Article 8 of the HRA. •  Poole Borough Council has accepted the ruling

and apologised to Ms Paton and her family.

RIPA plus

The Telecommunications (Lawful Business Practice)

(Interception of Communications) Regulations 2000

Statutory Instrument 2000 No. 2699

Reasons for covert monitoring

•  to establish the existence of facts, •  to comply with regulatory or self-regulatory

practices •  to prevent or detect crime •  to investigate or detect unauthorised use of

systems •  to secure effective system operation •  monitoring received communications to determine

whether they are business or personal •  monitoring communications made to anonymous

telephone helplines.


RIPA

Monitoring email & internet use.

Can you do it?

www.actnow.org.uk

Sharing & Matching

Data Matching

Comparing 2 data sets In the same organisation Hits on both datasets? Cause for concern Matching your own staff?


Data Matching Examples

A Council in Manchester area had 16,700 households claiming the single person's discount. Data-matching threw up 939 "mismatches“.

The council accounted for 269 cases from its own records. It then wrote to 670 households asking them to account for the discrepancy.

Making Data Matching Fair

Fair processing Notice Lead time before the exercise Match not necessarily guilty Privacy Impact Assessment Purpose led…. …not technology driven

Data Sharing Examples

Entitlement Cards Empty Property Initiative Child Protection CRB / DBS Naming and Shaming A & E register


Data Sharing Failures

Climbié enquiry Laming Report Soham Case Bichard Report Baby P etc

What is meant by data sharing

•  Data sharing means disclosure of personal data from one organisation to another

•  Code covers two main types of sharing: – systematic, routine data sharing for an

established purpose – exceptional, one-off sharing

Express and implied powers (public sector)

•  Lots of legislation provides “lawful gateways” that allow data to be shared

•  These gateways create express powers to share data

•  Implied powers occur when data sharing is “reasonably incidental” to other statutory powers


www.actnow.org.uk

Lawful Gateways

Crime & Disorder Act 1998 Section 115 Anti-terrorism, Crime & Security Act 2001 Children Act 1989 s 17 National Health Services Act 1977 Education Act 1966 s 520 (school nurses) Children Act 2004 s10, 11, 12 (databases) Local Government Act 1972 & 2003 Civil Contingencies Act 2004

Central & Local Government

•  Powers to share information

•  Power of well being

•  General Power of Competence.

•  Power of First Resort

Power of Well being

•  The ‘power of well-being’ is the informal name given to the statutory power enabling a local authority to do anything which it considers likely to achieve the promotion or improvement of the economic, social or environmental well-being of their area.

•  This power was given to English principal authorities by Section 2 of the Local Government Act 2000 (the 2000 Act).


General Power of Competence

Local councils in England were given a ‘general power of competence’ in Localism Act 2011.

Councils no longer need to ask whether they have a specific power to act. The GPC gives

local authorities, including eligible local councils, “the power to do anything that individuals

generally may do” as long as they don’t break other laws.

Private and third-sector organisations

•  Does sharing comply with data protection principles?

•  Are there any legal constraints on sharing of data?

•  Does your constitution or articles of association place any restrictions on sharing?

Data Sharing Code


ICO approach

•  Data Protection is not a barrier to justified, necessary and proportionate data sharing.

•  DPA provides a framework for sharing in a secure, lawful and reasonable way.

•  Limitations and safeguards are essential: individuals have rights.

•  Don’t see data protection as a barrier - understand and use it.

Seven Golden Rules

1. Remember that the Data Protection Act is not a barrier to sharing information 2. Be open and honest 3. Seek advice 4. Share with consent where appropriate 5. Consider safety and well-being: 6. Necessary, proportionate, relevant, accurate, timely and secure: 7. Keep a record See bklt

Questions to ask

Read the ICO’s Data Sharing Checklists


Data Sharing Agreements

•  If you’re sharing data systematically, document the answers to the questions you’ve asked in a data sharing agreement

•  Should be signed off at senior level

Data Sharing Agreements

•  Agreed at a high level •  Subject Access •  Type of data available •  Term of project •  Updates •  Weeding •  Training & Dissemination

Data Sharing Networks and tools

Some parts of the country and some sectors have data sharing networks

•  Scottish Accord on the Sharing of Personal Information (SASPI)

•  Improving Information Sharing and Management (IISaM) www.informationsharing.co.uk


www.actnow.org.uk

Recording Data Sharing

•  Make sure you keep thorough records of any data shared and who with

•  Information Commissioner suggests public bodies should publish information sharing agreements as part of publication scheme

www.actnow.org.uk


Tell us Once

•  National Coverage – 89% end March 13 •  400,000 users for birth and death •  1,500 deaths, 300 births ‘captured’ each day •  Telephony Service - 7,000 calls each month •  5,500 on line users (death only) •  Approx 7,000 notifications each day

Child Protection

•  Children Act 1989/1995/2004

•  Child Support (Information, Evidence and Disclosure) Regulations 1992

•  Children (Leaving Care) Act 2000

Law Commission Report


Internet & E-commerce

Discussion

Your experiences?

Section C question – Zap Ltd

The Health Sector

The 1997 report of the Review of Patient-identifiable Information, chaired by Dame Fiona Caldicott (the Caldicott Report)

6 Principles

Caldicott Guardian Caldicott 2

The Caldicott Principles

•  Justify purpose when using confidential information.

•  Only use it when absolutely necessary. •  Use the minimum that is required. •  Access on a strict need-to-know basis. •  Everyone must understand his or her

responsibilities. •  Understand and comply with the law.


Caldicott 2

Information Governance Review 142 pages 14 chapters 26 recommendations

Health Sector Prosecutions

•  In January 2012, a former health worker was prosecuted and pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.

•  In December 2011, a receptionist who unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking was found guilty of an offence under section 55 of the Data Protection Act.

•  In June 2012, a personal injury claims company employee was prosecuted for illegally obtaining NHS patients’ information. In April 2012, an undertaking to comply with the seventh data protection principle was signed by Leicestershire County Council, following the theft of a briefcase containing personal confidential data from a social worker’s home.

Man walks in front of bus…

Staff at the Leeds hospital where England rugby star Danny Cipriani was being

treated were today hoping Kelly Brook would visit, with nurse Stephanie Burnett

tweeting: 'Bit of celeb spotting at work tonight... Shame I’m not a rugby fan!

Maybe Kelly Brook will come for a visit?! #makemyshiftinteresting.'


video

•  Justify purpose when using confidential information.

•  Only use it when absolutely necessary. •  Use the minimum that is required. •  Access on a strict need-to-know basis. •  Everyone must understand his or her

responsibilities. •  Understand and comply with the law.

Mr X receives a call from the local hospital to tell him that his pregnant wife has been admitted. Mr X was shocked as they have been divorced for 10 years and his ex-wife remarried with his

best friend. Mr X informed the hospital that he is no longer her Next of Kin.

Activity (takes 5 minutes to complete): A

Which Principle does the scenario breach/relates to?


Activity B


A Mother asks to see her 16 year old daughter’s School Nurse reports as she suspects her daughter is sexually active.

The School Nurse says no problem, asks for the request to be in writing and she will provide a copy of recent notes within 21

working Days.

A health records assistant has been tasked with checking 100 random health records to see

whether they are labelled with the correct NHS Number. She decides that there is not enough

space in her department to do this task comfortably, so she finds a quiet meeting room in the Post Grad Centre to do this. She pops

out for lunch for 1hr leaving the notes unattended and room unlocked.

Activity C


Activity D Which Principle does the scenario breach/relates to?

Mrs Y moves from London to Leeds and registers herself with a new GP in Leeds. The

GP goes through her records to get familiar with his new Patient’s health history. He finds

abbreviations such as HT and NLW in the notes. When he asks the previous GP to

explain – he laughs and says oh that means ‘Hot Totty’ and ‘Nice Looking Woman’.


Nurse is approached by PC Bloggs asking how his Brother (also a Police Officer) is doing after

having been shot in the line of duty. Nurse mentions that he is stable in terms of the gun

wound, but they have found that his cancer has spread. When the Brother regained

consciousness he was surprised to find that his Brother (PC Bloggs) knew about the cancer.

Only his wife knew until now.

Activity E


Activity F


HR were approached by the their Trusts communications team asking for all staff home

addresses to do a mail shot regarding the benefits for staff and training opportunities

available when the implementation of the new National Programme for IT is complete at their Trust. HR agree to email the staff database to

the communications team a.s.a.p.

A USA Social Services team heard that a UK Social Care team were using new and successful techniques to handle manic

depressive young teenagers. USA team ask for a report on the methodology supported by real life case reports so that they can learn from UK findings. UK send case notes and reports via

email to the USA team.

Activity G



Activity H


A Finance Assistant is tasked with disposing of any old requisitions filed. Her colleague tells

her to get rid of any cleared requisitions which are more than 18 months old. The assistant found 50+ requisitions nearly 3 yrs old which

exceeds the recommended retention period in the DH Records Management Code of Practice.

What risks can you identify?




www.actnow.org.uk

The Future

EU Regulation

In force (2018)

Applies across EU

Regulation adopted (February 2016)

Passed by EU Parliament

The Trilogue (completed December 2015)

Negotiations between Commission, Parliament and Council


EU Regulation – what will it mean? Explicit consent required more

often

Data Protection Officer

No notification

Right to be forgotten enhanced

More ICO powers

Bigger penalties (up to 4% of

annual turnover)

Mandatory reporting of data breach incidents

Privacy impact assessments mandatory

Privacy seals

BCS Sample paper

Online revision


What you should see

Next week

1000 Mock Exam 1300  Lunch 1400 Debrief 1500  Finish

ISEB CERTIFICATE IN

FREEDOM OF INFORMATION

© Act Now Training Ltd 2009

FOIA decisions on personal data Ref Data description Personal Disclosable FS50062124 Total amount of money paid to the

Former Temporary Finance Officer Yes Yes

FS50063717 List of NHS suppliers together with fax and telephone numbers

No Yes

FS50066908 CCTV footage relating to an alleged incident of vandalism

Yes No

FS50068391 Personal items purchased by Alan Yentob on his BBC credit card and reimbursed

Yes No

FS50068973 Names of staff who went to New Zealand for recruitment exercise

Yes Yes

FS50075171 Prosecutions brought for fare dodging on London buses

Yes No

FS50076657 Home addresses for the governors of two local schools

Yes No

FS50082890 List of council houses Yes Yes FS50086598 Information about an informant and

the Police's actions in relation to this informant

Yes No

FS50092601 Street name of child who lives furthest away from college

No Yes

FS50092819 Doctor’s gross salaries, additional payments and average number of hours each doctor worked

Yes No

FS50092819 Doctors’ names, job titles and salary bands

Yes Yes

FS50128761 Residential addresses for all Information Commissioner’s current salaried staff

Yes No

FS50161581 Number of burglaries reported in two separate streets across three years

No Yes

FS50169424 Postcodes of all employees at the ICO Yes No FS50178553 total amount paid to former

employees dismissed for whistle blowing settlement of employment tribunal proceedings

Yes Yes

FS50189595 Personal data of the complainant Yes Yes - under DPA

FS50216431 Awarding of exemptions from Council Tax liability to elected members and Council officers since 1997

Yes No

FS50219757 Which police division the two officers had served in since 30 July 2006; and whether either had been promoted.

Yes Yes

FS50222632 The number of children taken into care, adopted, placed on a special guardianship order and placed on a residence order broken down by age

No Yes

ISEB CERTIFICATE IN

FREEDOM OF INFORMATION


and month FS50226713 Benefit payments made to a named

individual Yes No

FS50227348 Answers volunteered by serving judges in 1998 and those subsequently appointed on the issue of Masonic membership

Yes (but not sensitive)

Yes

FS50229617 Results of a job evaluation process No Yes FS50242131 Exact salary details for various senior

management posts Yes Yes (£5000

increment) FS50259598 Names of individuals from the Council

who attended Common Purpose courses

Yes Yes

FS50267298 Compromise agreement between the Council and the outgoing Chief Executive

Yes No

FS50269400 Confirmation of which flat occupants in a particular block voted for which colour in a painting scheme

Yes No

FS50274410 Hours worked and bill submitted by named consultants

Yes Yes

FS50275054 Age, grade and pay scale of an individual who was granted early retirement

Yes No

FS50280638 All complaints about a named judge, including their nature, details and results of investigations carried out

Yes No

FS50281100 Names, ranks and collar numbers of the police officers involved in making an arrest of a photographer

Yes No

FS50284021 Name of the GMC official who allocated a named panellist to a specific GMC Panel

Yes No

FS50294078 Severance and/or redundancy packages

Yes No

Why do we need an EU data protection reform?The EU’s 1995 Data Protection Directive set a milestone in the history of personal data protection. Its basic principles, ensuring a functioning internal market and an effective protection of the fundamental right of individuals to data protection, are as valid today as they were 17 years ago. But differences in the way that each EU country implements the law have led to an uneven level of protection for personal data, depending on where an individual lives or buys goods and services.

The current rules also need to be modernised - they were introduced when the Internet was still in its infancy. Rapid technological developments and globalisation have brought new challenges for data protection. With social networking sites, cloud computing, location-based services and smart cards, we leave digital traces with every move we make. In this “brave new data world” we need a robust set of rules. The EU’s data protection reform will make sure our rules are future-proof and fit for the digital age.

Attitudes towards data protection

n Just over a quarter of social network users (26%) and even fewer online shoppers (18%) feel in complete control of their personal data.

n 74% of Europeans see disclosing personal information as an increasing part of modern life. n 43% of Internet users say they have been asked for more personal information than necessary.n Only one-third of Europeans are aware of the existence of a national public authority responsible for data protection

(33%).n 90% of Europeans want the same data protection rights across the EU.

Special Eurobarometer 359Attitudes on Data Protection and Electronic Identity in the European Union, June 2011

What is personal data?

Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, your bank details, your posts on social networking websites, your medical information, or your computer’s IP address. The EU data protection rules apply when a person can be identified, directly

or indirectly, by such data. The EU Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, whilst shopping, receiving medical treatment, at a police station or on the Internet. 74% of Europeans think that disclosing personal data is increasingly part of modern life, but at the same time, 72% of Internet

EN

Any questions?http://ec.europa.eu/justice/data-protection/index_en.htm

Contact Europe Direct: 00 800 67 89 10 11 - http://europa.eu/europedirect/

users are worried that they give away too much personal data. They feel they are not in complete control of their data. This eats away at their trust in online and other services and holds back the growth of the digital economy in general.

What is the Commission planning to do?

The Commission’s proposals update and modernise the principles enshrined in the 1995 Data Protection Directive to guarantee the right of personal data protection in the future. They focus on: reinforcing individuals’ rights; strengthening the EU internal market; ensuring a high level of data protection in all areas, including police and criminal justice cooperation; ensuring proper enforcement of the rules; and setting global data-protection standards.

What will be the key changes?

n A ‘right to be forgotten’ will help people better manage data-protection risks online. When they no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted.

n Whenever consent is required for data processing, it will have to be given explicitly, rather than be assumed.n Easier access to one’s own data and the right of data portability, i.e. easier transfer of personal data from one service

provider to another.n Companies and organisations will have to notify serious data breaches without undue delay, where feasible within 24

hours.n A single set of rules on data protection, valid across the EU.n Companies will only have to deal with a single national data protection authority – in the EU country where they have

their main establishment.n Individuals will have the right to refer all cases to their home national data protection authority, even when their

personal data is processed outside their home country.n EU rules will apply to companies not established in the EU, if they offer goods or services in the EU or monitor the online

behaviour of citizens. n Increased responsibility and accountability for those processing personal data.n Unnecessary administrative burdens such as notification requirements for companies processing personal data will be

removed.n National data protection authorities will be strengthened so they can better enforce the EU rules at home.

What will this mean for me?

The proposed changes will give you more control over your personal data, make it easier to access, and improve the quality of information you get about what happens to your data once you decide to share it. These proposals are designed to make sure that your personal information is protected – no matter where it is sent or stored – even outside the EU, as may often be the case on the Internet.

Individuals can be confident that they can go online and take advantage of new technologies regardless of where they come from, whether it’s shopping for a better deal, or sharing information with friends around the globe. This reinforced trust will also help businesses grow and allow them to serve consumers throughout Europe with adequate safeguards for personal data, and with lower costs. This will help stimulate the internal market, boost growth, create jobs and foster innovation.

EN

Any questions?http://ec.europa.eu/justice/data-protection/index_en.htm

Contact Europe Direct: 00 800 67 89 10 11 - http://europa.eu/europedirect/



THE COLLIE CASE

The House of Lords ruling in Common Services Agency v Scottish Information Commissioner [2008] UKHL 47 addresses important questions about the interaction between provisions of the Data Protection Act 1998 on the one hand and provisions of the Freedom of Information (Scotland) Act 2002 on the other, and has a real impact on practice in these fields across the UK.

The judgment is likely to have wide ranging implications for all public authorities and businesses and other organisations which hold and process information personal data. In practice, this is likely to mean any organisation which is a ‘data controller’ in terms of the data protection legislation – from large commercial businesses through to charities and not for profit organisations. Organisations who issue statistics on health related issues may be especially affected. But individuals whose information may be held and disclosed by any of these authorities, businesses or organisations are also affected.

Not for the first time, an eagerly anticipated House of Lords judgment may well be considered something of a disappointment. It is narrower than one might have hoped. Moreover, the variations in reasoning, which are bearable on the facts and nevertheless lead to unanimity of view on the actual order in the case, have the potential to cause difficulties in the future. Nevertheless, this is a major judgment and demands to be read in full by all practitioners in this area.

The facts in brief

In 2005 Mr Michael Collie, a researcher working for a (then) Green Party MSP, submitted a request under the Freedom of Information (Scotland) Act 2002 (or "FOISA") to the Common Services Agency (the "CSA"), a specialist health board in Scotland which collects statistical information from other health boards. In terms of his request he sought details of the recorded incidence of childhood leukaemia for certain years in the Dumfries and Galloway area of South West Scotland, broken down by census ward. It appears his interest lay in the suspected risk to public health arising from the MOD's operations at its Dundrennan firing range, the decommissioned nuclear reactor at Chapelcross and the nuclear processing facilities at Sellafield. The CSA refused to disclose the information requested, on the grounds that it was personal data the disclosure of which would breach the data protection principles. On application to the Scottish Information Commissioner (the "SIC"), the SIC ordered the CSA to disclose the information sought in a re-presented form using a technique called "barnardisation" which applies a process of random modification to statistics consisting of small numbers in order to substantially remove the risk that individual data subjects can be identified from them. The Inner House of the Court of Session subsequently upheld the SIC's decision and the CSA appealed further to the House of



Lords. The case raised interesting and important questions as to the precise meaning of "personal data" in terms of the Data Protection Act 1998 (the "DPA") and as to the interaction of the DPA and freedom of information legislation. Whilst their Lordships were required to consider certain provisions of FOISA for the purposes of disposing of the appeal, the corresponding provisions of the Freedom of Information Act 2000 are in materially the same terms so the judgment is therefore of relevance throughout the UK.

The key issues considered by the Court

The extent of a Scottish public authority's duty under FOISA to provide information requested in a different form to that in which it holds it The CSA argued that barnardisation of the information which Mr Collie requested would involve the creation of new information which it did not hold as at the date of its receipt of the request, and that nothing in FOISA required it to do that. However their Lordships were unanimous in finding that barnardisation did not constitute the creation of new information but instead, rather like redaction, simply involved doing something to information to allow its release in a form which does not infringe the rights of the individuals to whom it relates. Lord Rodger went so far as to say that where disclosure of information requested under FOISA would breach the data protection principles, section 1(1) of FOISA obliged an authority to consider whether it could provide that information in another form without thereby breaching the DPA. Quite how far the authority is required to go in this respect is not clear, but Lord Rodger specifically pointed out that any such amendment or reworking of the information would be subject to the time and cost constraints which are built into freedom of information legislation.

The meaning of "personal data" in terms of the DPA

Undoubtedly of greatest interest to those awaiting the outcome of this case was their Lordships' approach to determining whether or not the barnardised information was "personal data" within the meaning of the DPA. This issue has clear relevance to the creation and processing of statistical information. Durant Counsel for all parties had relied heavily on the Court of Appeal's 2003 decision in Durant v Financial Services Authority for the purposes of determining whether the barnardised information could be said to "relate" to the children involved. However the House of Lords held unanimously that Durant was simply not relevant to the case under consideration. Whilst no single, consistent reason for disregarding Durant can be found in their Lordships' speeches, the judgment may nevertheless arguably be authority for the position which emerges from the Information Commissioner's Technical Guidance Note of August 2007, to the effect that Durant is relevant to the question of whether data "relates" to a living individual only in difficult cases where the information in question is not "obviously about" someone. In this case their Lordships were apparently comfortable that, even in its barnardised form, statistical information about



the incidence of childhood leukaemia was information about the health of the children concerned and as such that it related to them in the ordinary sense of that word. There was therefore no need to turn to Durant and its concepts of focus and significant biographical data, to decide whether this first requirement of the definition of "personal data" was satisfied.

Identification

If the barnardised information clearly related to the children concerned, their Lordships had more difficulty in dealing with the second leg of the definition of "personal data" – i.e. whether any of the children could be identified from the barnardised information (either alone or taken together with other information in the possession, or likely to come into the possession, of the CSA). It was common ground between their Lordships that the fact that the CSA continued to hold "other information" which would ultimately have allowed it to "decode" the barnardised information to identify each of the children to whom it related, did not necessarily mean that the barnardised information was still personal data. However they did not all adopt the same reasoning in reaching that conclusion and in fact at least two quite different rationales can be identified from the judgment. Lord Hope took the view that data can be "fully anonymised" in the hands of the data controller and thereby cease to be personal data, even where the data controller does have information which would theoretically allow it to unlock the identities of the subjects of that data, but did not explain exactly how or in what circumstances that anonymisation might be achieved. Lord Rodger thought that data would remain personal data in the hands of the data controller provided that the data controller could identify the subjects of that data using "reasonable means". Again though, the practical implications of that reasoning are not clear. In marked contrast, Baroness Hale focused instead on the proposed recipient of the data, and whether he or should could identify the subject(s) of that data from that data alone (given that he or she would not have access to any of the "other information" in the hands of the disclosing data controller). This lack of unanimity would seem to have arisen from the difficulty which their Lordships faced in reconciling the definition of "personal data" in the DPA with the spirit of Directive 95/46/EC (which the DPA transposed into UK law) and in particular with Recital 26 of the Directive which states that "the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable …". In Baroness Hale's words, whilst their Lordships would "all like the legal position to be that, if the risk of identification [of the children] can indeed be eliminated, the Agency is obliged to provide [the information requested]", in line with the "expectation in Recital 26", she had "much more difficulty in spelling out [that conclusion] from the definition of "personal data" in section 1(1) of the Act". The ultimate purpose of the judgment as it relates to this point is therefore clear. However what is not clear is exactly how the "identifiability" requirement of the statutory definition should be interpreted and applied going forward. The different approaches to this issue found in the judgment might in



many cases produce the same answer. However this will not always be the case. Questions remain to be answered then as to precisely what factors are to be taken into account in determining when data can be said to be "fully anonymised" and as such no longer personal data.

Conclusion

The House of Lords' judgment provides some clarification of the extent of public authorities' obligations to amend or otherwise do anything to the information which they hold for the purposes of responding to a request for that information under freedom of information legislation, in particular where that information is personal data. It also may (on one interpretation at least) help to clarify the impact of the Court of Appeal's judgment in Durant. However what it does not do is to clearly address the question of the correct legal interpretation of the "identifiability" requirement of the UK's statutory definition of "personal data". Indeed arguably the judgment raises more questions in this regard than it answers. Those questions will no doubt be mulled over at length by commentators in the coming weeks and months. Ultimately though what is apparent from their Lordships' decision in this case is that they do not think that the words of the definition in the DPA, when given their plain meaning, sit easily with the corresponding provisions of Directive 95/46/EC. It is a matter of debate whether this can satisfactorily be resolved by further purposive construction or whether formal legislative amendment is required.

Contents Page - Act No · Regulations 2000 Statutory Instrument ... Children Act 2004 s10, 11, 12...

Documents

Transcript of Contents Page - Act No · Regulations 2000 Statutory Instrument ... Children Act 2004 s10, 11, 12...