There have been a number of interesting developments in data protection andinformation law generally since this column last appeared. Some are not strictlydata protection but are so closely linked that they deserve a mention.
The Information Commissioner and the FOIA
To start with a change of name: on 30 January, two months after the Freedomof Information Act 2000 (FOIA) came into force, the Data Protection Commissionerbecame the Information Commissioner with a corresponding re-naming of heroffice. This was the first outward sign of the changes set in motion by the FOIA.The Act will replace the present non-statutory Code of Access to GovernmentInformation. The Code, which was originally introduced under John Major,currently applies to much, although by no means all, of the public sector and issupervised by the Ombudsman. His role will cease and the InformationCommissioner will be the regulatory authority for the new Act.
The changeover will take some time. The FOIA does not have to be fullyimplemented until 30 November 2005, at the latest. It is anticipated thatcentral government departments will be the first to be subject to the newregime, possibly by summer 2001 (although the date seems to be slipping) withthe Act gradually ‘rolled out’ to the rest of the public sector over thefollowing four years. Once the Act has been applied to a public body, its effectis fully retrospective, ie all existing and historical information which thebody holds will be open to access requests. The five-year implementation periodis needed to give time to expand the Information Commissioner’s staffing (heroffice is expected to double in size so job seekers should hurry towww.dataprotection.gov.uk) and to enable public authorities to prepare for thenew regime.
Unlike the Human Rights Act 1998, which includes a functional definition,FOIA includes a long list of the public authorities to which it will apply;these include the police, government departments, NHS bodies, local authoritiesand schools and colleges.
The Act introduces a general right of access to all types of ‘recorded’information. Public bodies will have to make such information available inresponse to formal requests. A Code of Practice, setting out how public bodiesshould deal with requests, will be issued. A draft Code was issued at the sametime as the Bill and is available on www.homeoffice.gov.uk/foi.Fees for access will be set out in fees regulations (yet to be finalised).Information will have to be provided within 20 working days of the receipt ofthe request.
The right of access is subject to a considerable number of exemptions. Therewas much criticism of the exemptions as the Bill went through Parliament,particularly from the Campaign for Freedom of Information, and some of thosewhich appeared in the first draft were removed or softened as a result. Theexemptions cover 17 categories where a public interest test applies and sixwhere the exemption is absolute. Where the public interest test applies, theexemption will be overridden if the public authority considers that despite theapplicability of the technical exemption the public interest in disclosureoverrides the interest in withholding the information.
As the new right interfaces with existing rules about access after certainlengths of time (the most well known being the 30-year rule) and as a right toaccess records is rendered nugatory if the records cannot be found, the Act alsoincludes provisions dealing with public records. A new records management codewill be issued for public bodies (a draft copy is available on www.pro.gov.uk/recordsmanagement).
The FOIA is not intended to be merely a mechanism embodying a formal set ofprocedures but to change the way in which the public sector deals withinformation. It seeks to introduce and promote a ‘culture of openness’. Tothis end, not only will public authorities have to respond to specific requestsfor information, but they will also have to adopt and maintain publicationschemes setting out what information they intend to make public and theircharging policies for information.
The interface with personal information is likely to prove tricky tonegotiate. In the broadest terms, requests by individuals for access to dataabout themselves will be treated as subject access requests under the DPA, whilerequests for data relating to others will be subject to vetting to see whetherthe disclosure of the information would accord with DPA requirements. If anindividual has lodged a section 10 objection which has been accepted, or if theindividual would not be able to have access to the information because a subjectaccess exemption would apply then the applicant will not be able to access thedata either. In other cases, regard will be had to whether the access can begiven without breaching the Principles.
A guide to the Freedom of Information Act is available on theCommissioner’s Web site at www.dataprotection.gov.ukas is an outline work plan showing the proposed activities to be undertaken byher office up to March 2002 in preparation for implementation. The initial focusof the work will be to prepare guidance on, and model versions of, publicationschemes as well as providing general guidance on FOIA and the interface with DP.
New Guidance
Given the impact that FOIA work is undoubtedly having on the Commissioner’soffice, it is impressive that her office has continued to produce new guidanceon DP issues, although admittedly these have been relatively short papers.
Consultation on the draft Code on Employee/Employer relations closed inJanuary and the responses are still being considered. It is possible that thefinal version may be issued in sections dealing with particular topics.
The Commissioner’s site now includes 25 Compliance Guidance documents and 7Legal Guidance documents. To the outsider the distinction between the two is notimmediately apparent and if you are looking to see whether guidance has beenissued on a particular topic it is advisable to check both lists. New in theCompliance list is advice to local authorities on the DP position of electedmembers and on information sharing, neither of which contain any surprises.There are six sets of guidance on various aspects of subject access covering theeffect of the subject access exemption orders. There is also a new piece on thepublication of examination results which takes the line that publication isacceptable provided that pupils have been told of the likelihood of it and thatany objections are taken into account.
The Legal Guidance section now includes two pieces of which lawyers advisingin this field will need to be aware (irrespective of whether they agree with theviews taken). These cover the meanings of the terms ‘personal data’ and‘data controller’. Both include potentially controversial propositions. Inthe paper on personal data, the Commissioner ‘comes out’ on the issue ofwhether information collected over the Internet which does not includetraditionally identifiable names is personal data. She has taken the view thatit is and makes the following comment:
“Information may be compiled about a particular Web user, but there mightnot be any intention of linking it to a particular name and address or e-mailaddress. There might merely be an intention to target that particular user withadvertising, or to offer discounts when they re-visit a particular Web site, onthe basis of the profile built up without any ability to locate the user in thephysical world. The Commissioner takes the view that such information is,nevertheless, personal data.”
However, this leaves a number of questions hanging. For example, does itstill apply where several people use one computer?
The guidance also deals with the problems raised by the concept ofanonymisation.
The paper on the definition of ‘data controller’ continues to take a wideview of the term, and repeats the advice that even extremely limited processingof personal data may suffice to make a person a data controller, for example inthe Commissioner’s view clients of credit reference agencies who search theagency databases become data controllers for such data even if they do no morethan read information off the screen. As readers will know (on the optimisticassumption that anyone reads this column more than once and remembers what wasin it last time), this is an interpretation which causes the writer somediscomfort. The responsibilities of a data controller are weighty, particularlytowards data subjects, and the position of the data subject may be more securelyprotected if he or she can look to one responsible party. Many processesinvolving personal data have more than one actor, in a pensions context therewill be trustees of the fund, auditors, insurance companies, administrators,solicitors and employers. If legal responsibility is regarded as fragmentedamong a large number of data controllers who are each held responsible for bitsof the overall process, the position of the data subject is weakened. Anindividual who wishes to know what data is held on him or her would have to makea large number of separate subject access requests in such a case.
In the pensions context, we have advised that the trustees should be regardedas the data controller and the data subject should be able to have recourse tothe trustee in respect of all the data involved in the scheme. This can bedistinguished from the credit example as the trustees have legal responsibilityfor the scheme and it is probable that the Commissioner would take the same viewbecause of this factor. However, the general point remains valid.
Decision and agreement in the case of Second Telecom and Top 20 Limited vData Protection Commissioner
The Commissioner’s site now contains the papers from the first Tribunalcase since the 1998 Act came into force, and that is examined below.
The decision papers have only recently been made available from these linkedcases, although the Tribunal ratified the settlement in November 2000.
The cases were concerned with the sending of unsolicited marketing faxes toindividual subscribers. Readers may recall that it was because of the pressureto deal with the nuisance of fax marketing to residential lines that theregulations implementing the relevant parts of the Telecommunications DataProtection Directive (97/66/60) were brought into force in May 1999, nearly 12months before the rest of the implementing provisions.
The decision papers consist of identical agreed enforcement notices, dated 12January 2001, against Second Telecom Limited and Top 20 Limited which imposeobligations on both companies to screen their existing databases against listsof residential subscribers. These notices have not been considered by theTribunal and the possibility of appeal against them therefore still applies(albeit one that would now be outside the 28-day time-limit and thereforerequire the consent of the Tribunal). There is also an order of the Tribunal,agreed by both sides, which imposes obligations on both companies not to sendfaxes to anyone who has opted-out of receiving them by informing either theCommissioner or the company or who appears on the fax preference service stoplist.
In effect the offending companies are being required to carry out a listclean against a commercially available list, and then operate an effectiveopt-out system where individuals object to the receipt of marketing faxes. Giventhe requirements of the Directive, this may seem a curious resolution. TheDirective requires that unsolicited marketing faxes must not be sent to personalsubscribers unless they have actually consented to receiving them, whereasunsolicited marketing faxes may be sent to subscribers who are not individualsunless they have opted out of the receipt of such faxes, in which case theiropt-out must be respected. Thus the basic rules in the Directive are thatindividuals have to positively opt-in; businesses have a right to opt-out. TheUK has an obligation to pass national law implementing these standards. On theface of it there must be concern that the standard agreed by the Commissioner inthis settlement does not meet the standard required by the Directive.
The reason for this apparently anomalous result is to be found in the way theDirective has been rendered into law in the UK by the Telecommunications (DataProtection and Privacy) Regulations. Regulation 23 provides for a stop, orpreference, list to be set up on which subscribers can register that they do notwant to receive marketing faxes. This was intended as a mechanism to facilitatethe right of business subscribers to opt-out. However the Regulation also allowsindividual subscribers to register on the opt-out list if they wish to do so.
This was designed to deal with the problem (for the fax marketers) of thosewith ‘ambiguous titles’. In other words those cases where an individualsubscriber operates under what appears to be a business name but which does notinclude the style ‘limited’ or any other indication of the precise nature ofthe legal person involved. Those sending the faxes did not wish to have to seekout the subscriber in each case where it was not clear from the name whether thesubscriber was an individual or not. There was some sympathy in the DTI fortheir perceived difficulties but the DTI’s hands were bound by the terms ofthe Directive. The DTI could not limit the consent requirement so that it onlyapplied to subscribers from residential addresses, without being accused offailure to implement the Directive properly.
To assist marketers therefore it was agreed that individuals could alsoregister on the stop list. Thus the law on the face of it would meet theDirective but, in fact, where an individual subscriber had an ambiguous title,the fax marketers would be able to continue to send marketing faxes withoutchecking his status, at least until they received an objection (whether directlyor through the stop list); in those circumstances a degree of protection couldstill apply where the number was that of an individual subscriber even though hehad not received the level of protection required by the Directive.
This was generous to the marketers, and possibly a bit of a fudge, but itoffered a way of dealing with the strong representations made on this point. Theconcern now must be that it has been used as a Trojan horse to bring the levelof protection to individual subscribers down to opt-out rather than the opt-inrequirement of the Directive. This certainly appears to be the effect of thepackage agreed before the Tribunal.
The agreed order includes a statement of the Commissioner in which she setsout the approach taken by her office. In this, considerable stress has been laidon the provision of reg 23(2) (which allows individuals to opt-out) and thedifficulties that face the marketers in ascertaining which numbers on theirdatabases belong to individual subscribers. The marketers are required to cleantheir existing database against a comprehensive ‘independent database’ of UKpublicly listed numbers which distinguish residential listings from businesslistings. (It does not explain in the notice where this comes from or whocompiles it or how. It is not BT as the agreed statement recites that it has notbeen possible to find a way of screening against BT’s data). The screeningexercise is to take place at intervals of every 90 days and before adding newnumbers to the list they are to be screened against this database.
It appears that whoever compiles this database has found a way to separateresidential numbers, so it can be done, and presumably could be done by the faxmarketers themselves. The screening process will weed out those numbers that areclassed as residential on the cleaning database. It will leave unaffected thenumbers that are classified as business numbers but where the subscriber is anindividual. The only resource for those persons is to exercise the opt-out underreg 23. It will not address the obtaining of new numbers and there is noobligation imposed on the marketers actually to comply with reg 24 and obtainprior consent before sending marketing materials to all individual subscribers.
A significant motive for settling the case at this level of protectionappears, from comments made by the Commissioner’s team quoted elsewhere, tohave been to save the time, effort and expense of a contested Tribunal hearingagainst the companies involved. Those quotes heralded a new era of speedy andcheap resolution of enforcement cases. While that is an outcome much to bedesired, it is to be hoped that it has not been too dearly bought.
On the European front, the Article 29 group has issued a formidable documententitled ‘Privacy on the Internet – An Integrated EU Approach to On-line DataProtection’ doc. 5063/00/EN/Final WP 37. It is an impressive review of thelinked legal and technological privacy issues raised by the Internet.
The Commission has continued work on the draft clauses for contracts dealingwith transfer of personal data to non-EEA countries which are being consideredby the European Parliament. However the draft has apparently drawn a hostileresponse from the US where it is seen as imposing too high a standard on theimporting data controller. The clauses as drafted require the importingcontroller to adopt safeguards as required by the law of the country of theexporting controller. In effect the data protection law of the country would beexported with the data. This is considerably more onerous than the Safe Harborrequirements so the response is understandable.
It appears that take-up of the Safe Harbor has been slow. Apparently onlyaround 30 firms have signed up, with Hewlett Packard being the only big nameamong them.
In the UK the law on information and privacy has been affected both bygovernment proposals and new case law. Legislation touching on privacy rights isproposed in the Social Security Bill, the Criminal Justice and Police Bill, andthe Health and Social Care Bill.
The Social Security Bill will allow ‘authorised officers’ from variouspublic bodies to receive information from specified organisations, such ascredit reference agencies, in relation to benefit claims. This should only bedone where there are grounds for suspicion of misclaiming of benefit.
The Criminal Justice and Police Bill includes new powers. It includesproposals to give the police and other law enforcement agencies additionalpowers to remove material from premises for examination elsewhere; to allow theretention of DNA samples and fingerprints voluntarily given for eliminationpurposes to be retained with consent and for such consent to be irrevocable; andto enhance the ability of the Inland Revenue and Customs and Excise to provideinformation to assist the police and other bodies conducting criminalproceedings and investigations.
The Health and Social Care Bill was announced in December and includes aprovision allowing the Secretary of State to make orders dispensing with patientconsent to make use of confidential medical information for specified purposes.Comment on the Social Security and the Health Social Care Bills appears on theCommissioner’s Web site.
Human Rights and Privacy
The intersection of the ECHR, Articles 8, 10, 2 and 3 has been considered intwo important cases. In view of their significance in the development of the lawon privacy comment on them is appropriate but space does not permit. For anaccount and analysis of the cases involving the Douglas/Zeta-Jones weddingpictures and the Venables and Thompson anonymity claim, see the SCL Web site. n
Rosemary Jay is a Senior Consultant at Masons: rosemary.jay@masons.com