Data Exchange between Administrative Bodies Needs Notice
The CJEU has given judgment in Case C-201/14 Smaranda Bara and Others v Presedintele Casei Nationale de Asigurari de Sanatate and Others. It held that, where personal data is subject to transfer and processing between public administrative bodies, the data subject must be informed in advance.
Facts
Ms Smaranda Bara and numerous other Romanian citizens are self-employed workers. The Romanian tax authority transferred data relating to their declared income to the National Health Insurance Fund, which then required the payment of arrears of contributions to the health insurance regime. The persons concerned (data subjects) contested, before the Curtea de Apel Cluj (Court of Appeal, Cluj, Romania), the lawfulness of that transfer under the Directive. They claimed that their data were used for purposes other than those for which those data had initially been communicated to the tax authority, without their prior explicit consent and without their having previously been informed.
Romanian law empowers public bodies to transfer personal data to the health insurance funds so that the latter may determine whether an individual qualifies as an insured person. The data concern the identification of persons (surname, first name, personal identity card number, address) but does not include data relating to income received. The Romanian Court of Appeal asked the Court of Justice whether EU law precludes a public administrative body from transferring personal data to another public administrative body for the purpose of their subsequent processing, without the data subjects being informed of that transfer and processing.
Judgment
The CJEU has held that the requirement of fair processing of personal data requires a public administrative body to inform the data subjects of the fact that their data will be transferred to another public administrative body for the purpose of their processing by the latter in its capacity as recipient of those data. The Directive expressly requires that any restrictions on the requirement to provide information are imposed by legislative measures.
The Romanian law that provides for the free transfer of personal data to the National Health Insurance Fund does not constitute prior information that would allow the data controller to dispense with his obligation to provide prior information to the persons from whom data are collected. That law does not define either the transferable data or the detailed arrangements for transferring those data, which are to be found only in a bilateral protocol agreed between the tax authority and the Health Insurance Fund.
As regards the subsequent processing of the data transferred, the Directive provides that a controller of data must inform the data subjects as to his own identity, the purpose of the processing, and any further information necessary to ensure the fair processing of the data. That further information includes the categories of data concerned and the existence of the right of access to and the right to rectify the data concerning him.
The Court observes that the National Health Insurance Fund’s processing of data transferred by the tax authority required informing the data subjects of the purposes of that processing and the categories of data concerned. In this case, the Health Insurance Fund had not provided that information.
Subject-access Requests: Crime Exemption, Proportionality and Procedure
The 2014 murders of British tourists David Miller and Hannah Witheridge in Thailand led to a police investigation which caused concern in the UK. As a result of that concern, and especially the concerns of the victims’ families, the government asked the Metropolitan Police Service (MPS) to create a report on the investigation. In compiling that report, Detective Chief Inspector Lyons of the MPS travelled to Thailand, consulted the Thai police and made observations of his own. Lin & Anor v Commissioner of Police for the Metropolis [2015] EWHC 2484 (QB) is concerned with a subject-access request from the defendants on trial for those murders; they sought access to the personal data in the report of DCI Lyons. It was accepted that the report contained relevant personal data (though the extent to which the report constituted personal data was disputed) but the police contended that it was subject to exemption under the Data Protection Act 1998, s 29 – the ‘crime exemption’.
In a very lengthy judgment, Mr Justice Green supported the MPS objection and refused the request for disclosure. He identifies the issues to be addressed (at [81] et seq).
Issue I: Who has the burden of proof of proving both the right to invoke the exemption? What is the standard of proof?
Green J referred to R (Lord) v Secretary of State of the Home Department [2003] EWHC 2073 (Admin) where it was held that, because of the importance attached to the rights of the individual, it was the data controller who had the burden of proof to establish the right to refuse access and that the standard of proof was a relatively high one. He was clear that the MPS had the burden of proof.
Issue II: Was the personal data in the MPS report ‘processed’ for purposes of (a) the prevention or detection of crime or (b) the apprehension or prosecution of offenders?
In claiming that the exemption did not apply, the claimants had pointed out that the report was really an exercise in family liaison rather than investigation. Green J felt that this was too narrow an approach: ‘modern thinking is to accept that the criminal justice system is not exclusively about pursuing and punishing the guilty; it is also about protecting the victims and this can include their families‘ (at [87]). He relied on a purposive construction of s 29 to rule that the processing was indeed subject to the exemption.
Issue III: Would granting access be likely to prejudice any of those purposes?
This was what Green J described as the ‘weighing, proportionality, exercise‘ but it was complicated by the fact that the claimants were involved in a trial that might result in them receiving the death penalty. The ‘chilling effect’ on future co-operation between UK police authorities and foreign police forces was clearly given the most weight here but Green J pointed out that there was no question of the entire report being disclosed and that he had to apply the proportionality test to each item of personal data. But ‘[i]f I order disclosure of the personal data I would risk giving a sliver of the Report which might be misleading because it is taken out of context‘.
Procedural Difficulties
Though the facts of Lin v Commissioner of Police for the Metropolis are fascinating, the circumstances are so unusual that the case might be considered to be of little help as a precedent, at least in terms of the proportionality exercise. But the procedural difficulties that were encountered by virtue of the fact the claimants were unable to see the report while arguing for the importance of its disclosure are not confined to such circumstances. The ‘confidentiality ring’ was not appropriate to a death penalty case and, in any event, the MPS would have refused to disclose the report to the claimants’ advocates on that basis. It was even suggested by the MPS that, if serious questions were posed about individual items of information, the judge could do so in a closed hearing which would entail the public and the claimants being excluded. It was not considered appropriate to use a special advocate because of the urgency of the proceedings but that was something that Green J might have considered in the absence of such urgency.
Subject-access Requests: Privilege, Proportionality and Propriety
In Dawson-Damer & Ors v Taylor Wessing LLP & Ors [2015] EWHC 2366 (Ch) the High Court was faced with a choice concerning subject-access requests sent to Taylor Wessing, the well known firm of solicitors.
On receipt of a request for documents based on the Data Protection Act 1998, s. 7(9), Taylor Wessing refused to send any documents on the basis that its client, Grampian Trust, was entitled to rely on legal professional privilege in respect of the majority of the documents. Moreover, it was the Taylor Wessing case that it was not reasonable to expect them to sift through a mound of documents going back 30 years to produce the minority that were not privileged; many of the documents were held ‘loose leaf in boxes’ and so were not in relevant filing systems for the purposes of the DPA.
The background to the case involves a family trust, adopted children, a Bahamian trust and the movement of funds (large sums at that).
In August 2014 subject access requests were sent on behalf of all three claimants to each of the Defendants enclosing a cheque for £30 to each of them. The requests asked for
‘All data of which they are the data subject (including data in which they are identified expressly or by inference) and which is in your firm’s possession custody or power.’
The points in issue on the subject-access request were limited to (i) the extent of the privilege, (ii) the extent of a reasonable and proportionate search for documents and (iii) whether the request was improper, in that it was an attempt to gain disclosure of documents for the purposes of proceedings when the court disclosure rules were more properly applicable, and the extent of the court’s discretion to refuse such a request.
Privilege
The Taylor Wessing refusal was supported by the following statement:
We have carried out searches of the records held by us and our response to your request is as follows:
Personal data records held by us are processed only in connection with our capacity as legal advisors. This data is exempt from the subject access provisions of the Act by virtue of Schedule 7 section 10 of the Act by reason that it consists of data in respect of which a claim to legal professional privilege applies.
It was accepted that, once the dispute was in train at least, some documents were protected by legal professional privilege. The claimants’ position was that not all were so protected and that they were entitled to a response in respect of the others.
One tricky question was whether the legal professional privilege extended to the material that might be privileged under the law of the Bahamas, which gave more extensive protection than English law. Another was that, since one of the claimants had been a beneficiary under the trust for which Taylor Wessing acted, joint privilege applied so as to undermine any right to claim privilege against her.
His Honour Judge Behrens expressed ‘great difficulty in following the concept that the principles of disclosure in relation to trustees and beneficiaries can in some way be separated from legal professional privilege’. He took a purposive approach, citing Durant v FSA [20013] EWCA Civ 1746, and felt that legal professional privilege extended to include all the documents in respect of which Grampian would be entitled to resist compulsory disclosure in Bahamian proceedings.
Reasonable and Proportionate Search
His Honour Judge Behrens acknowledged that data processors have often been required to carry out ‘quite extensive searches for data‘ in response to subject-access requests. But, in a passage (at [66]) that may have many a public servant rolling their eyes, he accepted the submissions of the defendants and came to the firm conclusion that it was not reasonable or proportionate to ask Taylor Wessing to carry out a search to determine which documents were protected by privilege and which were not.
The defendant’s submissions, which were endorsed by Judge Behrens, included reference to the fact that determining whether a document was protected by privilege was a matter that required consideration by skilled lawyers and would this be ‘a very time consuming (and costly) exercise for such lawyers to carry out’ It also included reference to the ‘modest fee (£10 each)’ for the subject access requests. His Honour Judge Behrens considered that in all likelihood the question of disclosure would have to be considered and resolved by Grampian and its Bahamian lawyers in Bahamian proceedings, he considered that the cost of the costly exercise should be part of those proceedings.
Propriety
Given his view that privilege applied and that, insofar as it did not, a search was not reasonable and proportionate, it was not necessary for Judge Behrens to give a view on whether or not he would exercise his discretion to order a search. He did express the view that he would have refused to order a search in the exercise of his discretion because it seemed clear to him that the request was really part and parcel of a dispute that would lead to litigation and a discovery exercise in the Bahamas.
Motorman and Sensitive Personal Data
The Information Commissioner’s appeal against a decision of the First-tier Tribunal has been unsuccessful.
In Information Commissioner v Colenso Dunne [2015] UKUT 0471 (AAC) the Upper Tribunal has upheld the decision of the First-tier Tribunal that information could be released notwithstanding the Information Commissioner’s view that it was exempted from the freedom of information right. The case includes some interesting reflections on the interplay between freedom of information legislation and data protection legislation and on the strange dual role of the Information Commissioner but is chiefly important because of what is said about sensitive personal data.
The case arises out of the ICO’s investigation into Mr Steve Whittamore, a private investigator, as part of ‘Operation Motorman’. The ICO refused to release a list of some 300-odd journalists’ names which it had seized in a raid on Mr Whittamore in response to Mr Colenso-Dunne’s request for the list under FOIA. Following a dispute, the First-tier Tribunal determined that the ICO should disclose the names of the journalists who had commissioned Mr Whittamore’s services, that the information in issue was not “sensitive personal data” and that its disclosure was for a legitimate purpose, rather than an unwarranted intrusion into the journalists’ privacy rights.
As Judge Wikeley puts it (at [39]):
‘In essence, the Tribunal made a finding of fact that the information demonstrated that particular journalists had commissioned Mr Whittamore to obtain information but, so far as the journalists were concerned, no more than that. The information did not carry with it any assertion as to the actual or alleged commission of any crime by those journalists. The line may be a fine one, but a sustainable line it is, and it is clear from the sequence of its rulings and its inquisitorial approach that the Tribunal interrogated the evidence rigorously in making its findings of fact.’
He went on to say (at [46]):
The fact that some people might misconstrue the fact that a journalist’s name was in the material seized from Mr Whittamore as an allegation that he or she had committed an offence did not convert personal data into sensitive personal data.
Balancing interests
The Information Commissioner’s contention was that the First-tier Tribunal had erred in its application of the balancing of interests under condition 6(1) of Sch 2 to the Data Protection Act 1998. It was argued that it would be unfair to release the names in question, principally. Because of the very serious reputational consequences which disclosure would have for the journalists in question. Judge Wikeley felt that the First-tier Tribunal had adequately addressed that issue and that it was not for him to address it anew. In observing that there was a legitimate interest in the public being made aware of the sort of information the ICO had in its hands at the time when it pursued criminal proceedings against certain investigators but did not take any steps that might have led to the prosecution of those who had engaged the services of those investigators, the First-tier Tribunal had made it clear that it had carried out a proper balancing exercise.
Other grounds of appeal effectively fell away and Judge Wikeley dismissed the appeal.