Happy New Year. Isn’t it horrid to be back at work?
Normally the end of year holiday is very quiet – not so this year, so I have taken the opportunity to report on three issues that could have been easily missed since my last blog. The commentary deals with Smart Meters, Violent Warning Markers and Undertakings. Full references at end as usual.
With the UK’s Government blessing, most public utilities are moving to “smart metering”. For instance, all old fashioned electricity meters are being replaced by 2020 with devices where consumers can find out, in real time, what resources are used by which device, and how much it costs to use. Such information, the Government hope, will reduce electricity consumption and carbon dioxide emissions; it will also make the visit from a meter reader as outdated as a visit from a Petty Chapman.
However, smart meters could allow public utilities to hold personal data about lifestyles – for example, how many times you cook food in an oven, when you have a bath, when you are at home or on holiday. Inferences could be made – for example, what do you think has happened if the meter readings are consistent with a shower in a two person flat being switched on four times – twice at 11.30pm and twice around midnight?
Also, if the authorities want to know whether someone is at home, they can monitor the real-time meter – perhaps relying on the exemption from the non disclosure provisions in section 29 (crime and taxation) to facilitate disclosure. Covert surveillance (e.g. such as that employed by Poole Borough Council in relation to its school admissions policy - see references) becomes unnecessary as an analysis of meter readings can be used to assess how much (and when) a property is being used as the prime domestic residence. Finally, burglars are likely to take an interest in very low-usage meter readings, so personal data security is a very important issue.
Before the holidays, the Ponemon Institute (an American Research organisation specialising in security and privacy) published research on USA consumer attitudes to smart metering. It shows that many consumers do not understand the range of details recorded or transmitted by a smart meter, and are not provided (or did not recall receiving) information about the installation of a smart meter. Consumers who claim to have the best understanding of a smart meter are most concerned about the impact on individual privacy. The major concern, not unsurprisingly, appears to be how the collection of personal information could reveal details about their lifestyle.
In other words, there are significant data protection issues about smart metering that have yet to be resolved (or even aired in public in the UK).
Violent warning markers
Slough Borough Council’s appeal against the awarding of libel damages was published just before Xmas. The Appeal relates to the placing of personal data (about Ms. Jane Clift) on Slough’s Register of Violent People which was then subsequently shared with other public bodies and within the Council. At the Lower Court, Ms Clift was successful in her argument that the sharing of her personal data was an unnecessary interference with her personal life and their distribution amounted to defamation. She was awarded £12K compensation and costs.
Slough’s appeal surrounded the legal point as to whether or not a Local Authority had a public-law, moral or social duty to disclose the details on the Violent Persons Register. If such a duty existed, the content of the disclosed personal data was irrelevant to the question of whether personal data, once placed on the Register, had to be disclosed. In other words, if Slough had such a lawful duty, then it followed that there could be no defamation as there was an obligation to disclose details from the Register.
Paragraph 35 of the Appeal judgment is the killer for the Council: “....Ill-considered and indiscriminate disclosure is bound to be disproportionate and no plea of administrative difficulty in verifying the information and limiting publication to those who truly have the need to know or those reasonably thought to be at risk can outweigh the substantial interference with the right to protect reputations. In my judgment the judge's ruling on proportionality is beyond challenge. To publish as widely as the Council did was to breach Ms Clift's Article 8 rights”.
Note that Appeal judgment has no commentary on any data protection issue and therefore does not illuminate the workings of the Act although the ICO’s Guidance on Violent Warning Markers gets a very cursory mention at paragraph 35 as part of a single sentence in 50 paragraph judgment. At best, one can tentatively assume that this Guidance was aired in Court, and the absence of detailed commentary in the judgement can be read as inferring some kind of acceptance of its content in relation to when to place personal data on the Register and when to disclose them - but that is as far as it goes.
I think the real question is: “Why did Slough B.C. bring this appeal?”. The facts of the case were explored in detail by the Lower Court and were found to be wanting; the Court accepted that Ms Clift was not someone who had been violent (or who was potentially violent), but rather someone who became frustrated with officials and complained about their lack of professionalism. Slough’s error was to take verbal statements such as “Right now, I wish she'd drop dead” too literally.
So what legal principle was Slough trying to establish by its Appeal? Was it “if we decide to put people on the Register, then there are no consequences?”. And because of the small nature of the compensation (£12K not £120K), the whole process seems to be a complete waste of resources, paid for by the taxpayer of course. Perhaps somebody in Slough has a big ego to protect, who knows? But quite evidently the maxim “once in a hole, stop digging” has yet to reach the Borough.
By the way, don’t say something like “I could murder a bag of chips” in Slough – you might get arrested.
Undertakings extended to FOI
The University of East Anglia (UEA) has signed the first Undertaking in relation to Freedom of Information (FOI). Until now, Undertakings have been signed by data controllers in relation to reported losses of personal data; the result is that all previous Undertakings have dealt with the Seventh Principle, but the odd one has contained additional requirements in relation to the First, Third, Fourth and Fifth Principles.
The context of this FOI undertaking concerns the failure to deal with EIR/FOI requests received by the UEA’s Climate Change Research Program. Do you recall those leaked emails (around February last year) which were used by the “No such thing as global warming” lobby to say that the science was being “fixed” to support a carbon dioxide theory of rising global temperature?
The subject matter got very political and resulted in a Parliamentary Select Committee Inquiry and a host of press headlines. In such circumstances, the Commissioner had no choice but to be seen to “do something” about the obvious FOI/EIR shortfalls which had been exposed and criticised publically.
The interesting fact is that there was no Enforcement Notice issued. This means that the ICO wanted to dispose of the subject with the minimum of fuss, and it is this aspect – the decision not to proceed down an official enforcement route - which helps explain why the Undertaking is likely to become more important to public authorities and data controllers.
DP and FOI Practitioners might want to look at “The Undertaking – 2010” (see references). This explores why the “Undertaking” is increasingly being used by the Information Commissioner as part of his enforcement options. The article considers the implications for data controllers, the lack of an appeals mechanism and the extension of “Undertakings” to breaches of any data protection principle. Now that analysis is relevant to FOI practitioners.
1. The Ponemon Institute research document (Perceptions about Privacy on the Smart Grid) can be obtained from Mike Spinney, Senior Privacy Analyst, firstname.lastname@example.org. Re Poole surveillance: http://amberhawk.typepad.com/amberhawk/2010/08/swimming-in-the-surveillance-poole-the-real-privacy-problems-with-ripa.html
2. Clift v Slough Borough Council  EWCA Civ 1484 (21 December 2010) URL: http://www.bailii.org/ew/cases/EWCA/Civ/2010/1484.html
3. The “Undertaking” analysis can be down loaded from http://www.amberhawk.com/policydoc.asp and the FOI undertaking itself can be found at http://www.ico.gov.uk/what_we_cover/promoting_openness/~/media/documents/library/Freedom_of_Information/Notices/uea_foi_undertaking.ashx.
Advert re DP and FOI courses:
We are running several sets of data protection courses next year. We are starting a set of the 7-day DP course in London (beginning 18th January) and running the 5-day intensive course in Edinburgh (beginning 24th February) and in Leeds (beginning 3rd March). These courses cover the DP ISEB syllabus and prepare delegates for the examination in April 2011, although you do not need to be seeking the qualification to attend.
Our next FOI course starts in Manchester on 26th January. As with Data Protection, these courses cover the FOI ISEB syllabus for the examination in April 2011, although you do not need to be seeking the qualification to attend.
Details on the “brochure” section of the Amberhawk website (www.amberhawk.com)