Privacy and Information Law News
01 December 2007
From the Editor
It has been a busy Autumn in the privacy and information law
space.
The Prime Minister announced at the end of October that he has
asked the Information Commissioner and Doctor Mark Walport,
director of the Wellcome Trust, to review the way personal
information is shared and protected in the public and private
sectors.
The Government has also announced that it has scrapped proposals
to increase the charges for accessing information under the Freedom
of Information Act. It is just over a year since Lord Falconer
floated plans to introduce fees for time spent considering freedom
of information requests. Several factors contributed to the
decision not to proceed. First, a variety of high profile critics,
foremost among them the Information Commissioner, had branded the
proposals unworkable. Secondly, the fuss generated by David
Mclean's failed attempt to exempt MPs from FOI altogether and
Gordon Brown's proclamation of a different style of government,
seem to have made it politically unattractive to put through
changes aimed at limiting openness and transparency.
The Government has also announced a consultation seeking views
on whether it should use its powers under the Freedom of
Information Act to extend the regime to private organisations
carrying out public functions. Under s.5 of the FOIA Jack Straw can
"designate" organisations as public authorities thereby bringing
them within the rules for access to information. The consultation,
originally planned for the first year of FOIA in 2005, runs until 1
February 2008.
On 21 November, Gordon Brown announced that the Information
Commissioner is to be given powers to conduct unannounced audits at
Government Departments as a result of the reported loss of personal
data by Her Majesty's Revenue and Customs (HMRC). At a meeting held
at FFW's London headquarters, Richard Thomas told the National
Association of Data Protection and Freedom of Information Officers
that he has also insisted on being given the necessary resources to
carry out these audits. Mr Thomas is also calling for the law to be
changed "to make security breaches of this magnitude a criminal
offence".
Finally, on a personal note, I'm delighted to be announce that
FFW's Privacy Information Law Group has received two accolades in
the last month. We have been listed by Computerworld, the
leading US IT journal, as one of the top 10 privacy law practices
in the world. And here at home, the legal directory, Chambers
UK, has listed FFW in the top tier of firms with data protection
expertise.
On behalf of all of the Privacy and Information Law team, I
would like to wish you a merry festive season and a prosperous
2008.
Data Protection
Public Sector Data Sharing
The Information Commissioner's Office (ICO) has recently issued
guidance to public bodies outlining factors which should be
considered before sharing personal information between departments
or with other authorities.
Sharing Personal Information: Our
Approach sets out the ICO's view on a variety of important
questions:
- the ICO is going to concentrate on cases where sharing of
personal information results in genuine unfairness or unwarranted
intrusion to the detriment of the individual;
- the overall aim in sharing personal information should be the
protection of the public and better services, combined with data
protection;
- individuals should be informed when information is being shared
and it should be clear to individuals how sharing will be carried
out, how it will affect them and who it is being shared with;
- "Privacy Impact Assessments" should be drawn up which will
identify the intended benefits either for the individual or
society, and also the data protection risks such as intrusion into
personal privacy, or threats to the integrity of personal
data;
- an overriding principle should be to avoid any risk of real
unfairness or unwarranted detriment, although in some cases this
could be lawful in order to prevent criminal activity, for example
to catch benefit cheats;
- clearly there will be a higher threshold in respect of
disclosure of information when it is sensitive or confidential
information; and
- in respect of quality and security, the ICO expects
organisations which have decided to share information to be able to
demonstrate that they have addressed the implications of doing so,
and have implemented appropriate security measures, such as
checking that information is up to date and that inaccurate
information is corrected by all organisations with which it has
been shared.
The guidance encourages organisations to draft Codes of Practice
and present them to the Information Commissioner for his
endorsement. Adherence to a suitably endorsed Code of Practice
will, in the ICO's view, be a significant step to achieving
compliance with the DPA. It also makes it clear that the ICO will
not attempt to stifle local authorities with a heavy-handed
application of legislation: "The ICO will avoid an overly
restrictive application of data protection law where that would
lead to organisations failing to make sensible use of the
information they hold ... The ICO recognises that modern
information technology allows the sophisticated analysis and rapid
transmission of information. Our approach will not prevent public
bodies making the most of the benefits that technology can bring to
society and individuals."
What does all this mean in practice? Public authorities
should consider the following:
- Privacy Impact Assessments: to assess the benefits and negative
effects of data sharing.
- Only relevant information should be shared, and on a
need-to-know basis.
- Decide and document the objectives of sharing.
- Use of anonymised or statistical information as much as
possible.
- Use of fair processing notices and privacy policies to inform
people how information will be shared.
- If you discover that the information is incorrect after you've
shared it, you not only have to correct your own, but inform those
to whom you have given it.
- Agree with information sharers what to do with information once
the need to share has passed.
- Audit the personal information your organisation holds.
- Ensure that information sharers have a common security
standard.
Ruling on ownership of contacts data is good news for
employers
In Pennwell Publishing v Ornstien, the High Court decided
that where an employee creates and keeps a list of contacts on
Outlook which is part of his employer's email system, that list
belongs to the employer.
Mr Isles was a journalist employed by Pennwell Publishing in what
the judge described as "an important role as a publisher [of
newsletters] and conference chairman for international conferences
for the power industry". Mr Isles had worked for Pennwell for
several years when he resigned to set up a competitor.
Shortly before leaving Pennwell, Mr Isles copied the contents of
his Outlook address book to a memory stick. The list included
business contacts he had made while working for his previous
employer, details of contacts he had made while working at Pennwell
and personal contact details for his friends and family.
Pennwell argued that the contacts list was prepared and maintained
on its computer system and backed up on its servers during Mr
Isles' employment for the purpose of that employment.
As such, it was Pennwell's confidential information, although it
conceded that Mr Isles ought to be able to keep a copy of the
information which pre-dated his employment with them. Mr Isles
disputed Pennwell's claim on the basis that the list was his
personal contacts list which he, like other journalists and
editors, kept and which contained the contacts he had built up over
the course of his career.
The judge concluded that the list could not properly be described
as a personal list but had been developed and maintained by Mr
Isles for the purpose of his role at Pennwell. The fact that some
of the information pre-dated Mr Pennwell's employment or was
personal in nature did not affect this conclusion. As a result, the
list was both confidential information which was Pennwell's
property and a database, the database rights in which belonged to
Pennwell.
The Court accepted that Mr Isles, as a journalist, was in a
different position than a salesman or other executive might have
been. He would have been entitled to maintain a personal list of
journalistic contacts with a view to using these in his future
career. However, the difficulty for Mr Isles was that he just
hadn't done so - the Outlook address list was the only contacts
list he maintained and that list belonged to Pennwell. Mr Isles
would also have been entitled to copy personal contact information
(including details of his journalistic contacts) from the list
before leaving Pennwell; again the difficulty was that he had not
done so. Rather, he had just copied the entire list. The Court
suggested that employees could also delete confidential personal
contacts such as details of their doctor or lawyer before leaving a
job.
The judge recognised that his conclusion would surprise many
employees who keep all sorts of contact details on their employers'
computer systems. He suggested that employers devise and publish an
email and computer systems usage policy to flag the issue to
employees. In this case, Pennwell had put in place such a policy
but had failed to communicate it to all employees.
Although the court found in favour of the employer in this case,
the decision should act as a reminder to employers.
- Make sure policies on use of email and computer systems deal
with the ownership of contact lists and other information contained
on or created using the employer's systems.
- Communicate email or computer systems usage policies to all
employees.
- Ensure that contracts of employment contain (appropriately
limited) non-compete restrictions.
- Check that contracts of employment specifically provide that
intellectual property rights (including database rights and
confidential information) created by the employee (at least for the
purposes of his or her employment) will be owned by the employer.
Often this is the position under the general law anyway but
employers should make clear that they don't intend to derogate from
it.
International privacy standards move a step
closer
The 29th International Conference of Data Protection and Privacy
Commissioners took place in Montreal at the end of September,
hosted by the Office of the Privacy Commissioner of Canada. The
conference focused on the challenges faced by privacy and data
protection regulators around the world, who are operating in a
climate of uncertainty when it comes to privacy. All participants
acknowledged that technology and terrorism are transforming the
world. Information outsourcing and the exponential growth of
transborder data flows, as well as illicit data trafficking have
become commonplace, and therefore a new approach to privacy
protection is required. The conference was a chance to assess this
shifting privacy landscape and to map out the responsiveness of
regulators and their capacity to address the emerging issues that
trouble privacy professionals.
Building on the work of previous initiatives, the commissioners
adopted resolutions on the development of new international privacy
standards and international cooperation. Ultimately, this was
another decisive step towards greater harmonisation among the
different national approaches to personal information protection.
It is certainly encouraging for international businesses and
organisations to see the privacy commissioners of the world
aligning their positions and recognising that global privacy
protection can only result from further co-operation.
Bluetooth not subject to Privacy and Electronic Comms
Regs after all...
The ICO has changed its opinion on whether unsolicited marketing
messages sent using Bluetooth fall under the Privacy and Electronic
Communications Regulations 2003 (PEC). Bluetooth is a close-range
wireless communications technology that is available on many mobile
phones. Previous guidance said that Bluetooth was covered by Reg.22
of PEC. The ICO has now decided that as PEC only applies to
messages sent over a public electronic communications network,
Bluetooth is in fact not covered because it doesn't use a public
network.
Nevertheless, the ICO urges marketers to consult industry
guidelines on good marketing practice if considering using
Bluetooth technology. The new interpretation, reached in
consultation with the Department of Business, Enterprise and
Regulatory Reform, seems to open up scope for spamming although the
Direct Marketing Association has emphasised that current good
practice guidelines still apply.
Freedom of Information
FOIA and the confidentiality of contracts
The Scottish Information Commissioner, Kevin Dunion, has recently
ordered VisitScotland to release details of a contract with the
company that runs its website, visitscotland.com, following a
request under the Scottish Freedom of Information Act. Mr Dunion's
Office rejected VisitScotland's argument that contracts were exempt
because they constituted information obtained from a third party
and because disclosure would be an actionable breach of
confidence.
Although a Scottish decision, the case follows the English
Tribunal judgment in Derry City Council v Information
Commissioner. It has potential application south of the
border because the wording of the exemption in the Scottish Act is
the same as in s.41 of the FOIA.
Mr Dunion's Office concluded that the contract did not
constitute information from a third party, because it was a
negotiated document and therefore was the product of input from the
authority itself as well as its service provider. At the same time,
it did not categorically rule out the prospect that information in
a concluded contract could amount to third party information in
certain circumstances. The extent to which elements of the contract
are the "contractor's" (and therefore more likely to be exempt)
rather than the public authority's would be a matter of evidence in
each case.
The case underlines the need for organisations to state clearly
what information they are providing when they contract with public
authorities so that it is clear what information is theirs (e.g. a
tender which is incorporated as part of the terms and conditions)
and what has been negotiated. Without taking these steps, private
contractors' information which forms part of a concluded contract
is unlikely to benefit from the FOIA s.41 confidential information
exemption.
Read the decision
here.
FOIA and legal privilege
There have been several ICO decision notices in recent weeks
arising from requests to public authorities for the disclosure of
legal advice about authority business. In three of these cases, the
decision to withhold information on the basis of legal privilege
was upheld. However in two of them, the ICO's conclusion provides a
stark warning about how authorities handle legally privileged
information and the application of FOIA s.42 and regulation
12(5)(b) of the EIRs.
The ICO decided in cases involving Dover District Council and
Bradford Metropolitan District Council that they could not rely on
s.42 and regulation 12(5)(b) because the way in which legal advice
had been handled meant that legal privilege had been waived. Dover
District Council (decision notice FER0082136) received a request
for a full copy of counsel's opinion regarding the possible
registration of land as a village green. The opinion had been
summarised in a report of the Chief Planning Officer. The Council
refused to provide the full opinion claiming that it was exempt
under s.42, and that the public interest did not lie in favour of
disclosure.
First off, the ICO quite rightly decided that the request should
have been dealt with under EIRs as the Council's proposals were
plans or activities likely to affect the state of land, being one
of the "elements of the environment" set out in in the definition
of environmental information in reg.2(1)(c) of the EIRs. Regulation
12(5)(b) is the equivalent provision under the EIRs to s.42 of
FOIA, providing exemption, subject to the public interest, for
information which attracts legal professional privilege.
The ICO was satisfied that counsel's opinion attracted legal
advice privilege and therefore that reg.12(5)(b) was engaged.
However, it was mindful that legal privilege may be waived and
referred to an earlier Information Tribunal decision (Mr M S
Kirkaldie v Information Commissioner, EA/2006/0001, 4 July 2006)
which cites case law in establishing a test for waiver:
"Publication of privileged information to the general public
will deprive the information of any privilege which previously
existed. So, for example, any press release which makes use of
privileged information will almost certainly result in a waiver of
that privilege." (Chandris Lines v Wilson & Horton
Ltd [1981] 2 NZLR 600).
The ICO considered whether the Council's publication of a
summary of the advice would result in privilege being waived. In
Kirkaldie, it was established that disclosure of the basis on which
the advice was sought and the main opinion given would be
sufficient to constitute a summary of advice and therefore amount
to waiver of legal privilege. The ICO found that the main opinion
given in counsel's advice was mentioned in the Chief Planning
Officer's report, which therefore constituted a published summary
of legal advice. Any privilege to that advice had therefore been
waived and the Council could not rely on reg.12(5)(b).
The ICO similarly decided that legal privilege had been waived
by Bradford Metropolitan District Council (decision notice
FER0081580) when they released and made freely available a summary
of advice given by Counsel in relation to a planning application.
The Council described the summary as a "public briefing note" that
had been "widely circulated" and claimed that it was the Council
officer's summary of the legal position after having taken
Counsel's opinion, and that the note did not reproduce the advice
in detail. The ICO did not accept that the summary was that of the
Council officer's opinion, especially as the summary referred
specifically to the opinion given by counsel. The ICO found the
summary to be an accurate reflection of the advice given and found
nothing substantial in the advice that was not referred to in the
summary. In its view, if a party had disclosed privileged
information in part, then that privilege had effectively been
waived in its entirety. The ICO therefore decided that by
publicly releasing the findings of Counsel in the briefing note,
the Council had waived its claim to legal privilege in respect of
Counsel's advice.
In contrast, the ICO decided that Forest Heath District Council
(decision notice FS50097244) had not waived legal privilege and
upheld the Council's decision not to disclose counsel's advice
about planning issues concerning a property. The ICO commented that
reference alone to a privileged document was not sufficient to
waive privilege. Following the Information Tribunal's approach in
Kirkaldie, the ICO said that privilege will be waived if the
contents of the advice is quoted or summarised.
In the Forest Heath case, legal advice and counsel's opinion
about a property and a planning application in relation to that
property were requested by the owner of the property. No summaries
of the legal advice had been given, and there was no evidence that
the legal advice had been shared with members of the Council. The
information sought included correspondence between the Council's
Legal and Development Control Departments and was properly
considered to have legal professional privilege as it had been
generated and obtained for the purposes of contemplated legal
proceedings. The Commissioner referred to the Information Tribunal
decision in Bellamy v Information Commissioner (EA/2005/0023,
FS006313) at paragraph 35: "... there is a strong element of
public interest inbuilt into the privilege itself. At least equally
strong counter-veiling considerations would need to be adduced to
override that inbuilt public interest ... it is important that
public authorities be allowed to conduct a free exchange of views
as to their legal rights and obligations with those advising them
without fear of intrusion, save in the most clear case".
The counsel's advice which had been sought from Milton Keynes
Council (decision notice FER0123644) had not been made public and a
summary of the advice had not been published.
Milton Keynes Council also confirmed that neither the fact that
the advice had been requested nor that it had been received had
been made public. There was therefore no question that the
privilege had been waived and the counsel's opinion therefore
continued to enjoy advice privilege. Balancing the competing
interests in maintaining the exception and disclosing the opinion,
the ICO decided that the public interest was in maintaining the
exception and, therefore, withholding the information.
The Commissioner was also satisfied in the North Norfolk
District Council (decision notice FS50120004) case (decision notice
FS50120004) that legal professional privilege applied to counsel's
opinion as it had not been shared, copied or disclosed to either
the general public or a third party free of restriction and
thereforethe Council had not , in any way, waived its rights to
claim legal privilege. The ICO, again balancing the competing
interests, decided that the public interest in maintaining the
exception provided by reg.12(5)(b) outweighed the public interest
in disclosure.
It is clear from these cases that authorities cannot rely on the
legal professional privilege exemptions under the FOIA or the EIRs
where they have made some sort of public disclosure of the legal
advice without restriction. This will include:
- publishing a summary of the advice;
- sharing, copying or disclosing the main part of the advice to
the public;
- sharing, copying or disclosing the advice to a third party free
of restriction; and
- quoting the advice or parts of it to the public.
Public authorities therefore need to be careful how they treat
legal advice. It is advisable when preparing reports, press
releases or other statements intended for public disclosure to
consider (a) whether related advice is suitable for disclosure, and
(b) whether anything is added by including summaries of legal
advice or quoting parts of it. It may be possible to set out the
action or decision to be taken without disclosing that legal advice
was sought or the crux of that advice.
If this is not possible, for example because it is essential for
decision making purposes and other reasons for the legal advice to
be included, that part of the report containing the advice could be
dealt with as exempt information (in the context of the Local
Government Act 1972) with clear and strict instructions as to the
confidentiality of the advice to members receiving it in private
session.
There may be occasions when requests are made by members to be
provided with copies of the advice. Again, authorities should
consider whether the advice should be widely circulated and made
available to the public. Potentially, disclosure to a member
without restriction could amount to legal privilege being waived.
If it is intended that the advice is withheld from the public,
authorities can make arrangements for members to read the advice,
provided they can establish a need to know and the confidentiality
of the advice is made expressly clear. No copies should be taken
and members should be advised that disclosure of any part of the
advice must not be made to any person.
Comment
Privacy and Photographs
What right to privacy does a person have when they appear in a
photograph? If you're Kate Middleton it's not unreasonable to
protest at the level of hounding you receive even when you're
engaged in relatively mundane activities such as walking to work.
The high water mark of privacy protection for photographs appeared
to have been reached in the European human rights case involving
Princess Caroline of Monaco when several photographs of her
undertaking everyday activities were found to breach her right to
privacy. However, a recent decision made by the High Court suggests
that under English law, a court will not immediately be guided by
the European judgment.
In the recent case, JK Rowling sought to argue that a photograph
of her 2 year old son taken without consent was an infringement of
his rights to privacy. UK law has recognised through cases such as
Douglas v Hello and Campbell v MGN that information about
people that is depicted in photographs can merit protection. This
development has evolved through the law of breach of confidence
which has moved away from requiring a pre-existing relationship of
trust. The starting point is now to determine whether Article 8 -
the right to privacy - under the European Convention of Human
Rights is engaged. As part of this assessment, a court must
consider whether the individual had a reasonable expectation of
privacy in relation to the disclosed facts.
The Lords confirmed that Naomi Campbell's Article 8 rights were
engaged when she was photographed on a street because of the
additional information accompanying the photograph indicating that
she was undergoing treatment for drug addiction; the photograph
depicted her leaving a Narcotics Anonymous meeting. Likewise, the
European court has recognised that the release of photographs and
publication of CCTV footage of an individual attempting to commit
suicide far exceeded what the individual could have reasonably
foreseen by walking on a street (Peck v UK).
But the case of JK Rowling's son was, in the court's view,
different. For there was nothing in the photograph that showed
either the individual or his parents in any embarrassing way.
Furthermore, the photograph did not obviously cause distress and
there was no additional element that turned this public occasion -
walking along a street - into a private one.
Considering JK Rowling's complaint, the judge acknowledged that
he was bound by the Lords' decision in Campbell and was not able to
accept the argument put forward by Rowling and her husband
established in the Princess Caroline decision. Furthermore, the
judge was keen to state that the law should not be allowed to carve
out a press-free zone for the children of well known people in
respect of absolutely everything they choose to do. Despite the
Princess Caroline decision, the judge believed that there remains
an area of routine activity which when conducted in a public place
carries no guarantee of privacy.
This ruling helps to support the argument that the Princess
Caroline decision has not unduly restricted the taking and
publication of photographs of well known people in public places.
However, where there is a suggestion of harassment or of causing
embarrassment or distress, a court may well look more closely at
the ECHR's reasoning that such photographs should only be allowed
when they contribute to a matter of public debate.
For further information, please contact Marcus Turle.