Gosh, crumbs and crikey! Talk about the “Road to Damascus”.
The Information Commissioner, in his Enforcement Notice issued to Southampton City Council in July, has made an express link between Article 8 of the Human Rights Convention and lawful processing under the First Data Protection Principle. Furthermore, Southampton has appealed the Notice; this means the Tribunal should hear arguments about Article 8 and adjudicate, in detail, on how Human Rights and Data Protection legislation interact.
I have often moaned (and moaned) about the fact that the Commissioner does not do “lawful” processing (see references). However, a stinging judgment in the “Solicitors from Hell” case (which mainly rebuked the Commissioner for his interpretation of the “domestic purpose” exemption), a key passage stated the following re the issue of lawful processing under the Data Protection Act (DPA):
... "The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully. The authoritative statements of the law are to be found not only in the cases cited in this judgment (including para 16 above), but also by the Court of Appeal in Campbell v MGN Ltd  EWCA Civ 1373  QB 633 paras  to , and in other cases. As Patten J made clear in Murray, where the DPA applies, if processing is unlawful by reason of it breaching the general law of confidentiality (and thus any other general law) there will be a contravention of the First Data Protection Principle within the meaning of s.40(1), and a breach of s.4(4) of the DPA”…. (paragraph 25 of the judgment; my emphasis).
In paragraph 3 of the Enforcement Notice, the Commissioner describes the offending processing in the following terms:
“…the data controller’s policy (effective from 26 August 2009) that all licensed taxis and private hire vehicles have to be fitted with a CCTV system that features an audio recording facility that is in permanent operation. The policy results in the recording of all driver and passenger conversations (including mobile telephone calls) that take place in taxis and private hire vehicles licensed by Southampton City Council.
Accordingly in paragraph 9, the Enforcement Notice says:
“The Commissioner has further taken account of the effect of the incorporation in English law of the European Convention on Human Rights (“ECHR”), by virtue of the Human Rights Act 1998, in deciding whether or not to serve an Enforcement Notice. In particular, the Commissioner is mindful of the provisions of Article 8 of the ECHR in that drivers of taxi and private hire vehicles and their passengers have the right to respect for private and family life which has been unlawfully interfered with by the processing referred to in paragraph 3. A breach of Article 8 will also contravene the lawful processing requirement of the First Data Protection Principle.” (Hurray – my emphasis)
Another notable thing about this Enforcement Notice is that the Commissioner is “mindful of the CCTV, Employment and Privacy Notices Codes of Practice”. Although these Codes are not statutory Code of Practice (i.e. voluntary), it will be interesting to see what status the Tribunal gives them. If the Tribunal says, for instance, asserts that they are important documents describing data protection practice, then they should be treated far more seriously.
For instance, I think that if a data controller says on his web-site that he has implemented the CCTV Code of Practice and does no such thing, then this statement is misleading and is likely to result in unfair processing.
Finally, the Enforcement Notice says the data controller has no Schedule 2 grounds for the processing. This follows as if the processing is not "necessary" (as required by Schedule 2 grounds other than data subject consent), it will not be “necessary” in terms of the exemptions in Article 8(2) which Article 8(2) requires that any law that permits interference is “necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others” (My emphasis to the link, through that word "necessary" as both are used in A.8 of ECHR and Schedule 2 of the DPA).
This Tribunal is listed for the end of January; it could then be the start of a legal process that strengthens data subjects’ rights considerably. Because as soon as Article 8 is linked to the lawfulness aspects of three Data Protection Principles (First, Second, Seventh), and if the Information Commissioner takes up more relevant cases, then in my view, the protection of the individual has just increased dramatically.
And that without the need for any Regulation.
JUSTICE evening event at Hunton and Williams: “Defamation, privacy and freedom of expression online”, 30 St Mary Axe, London EC3A 8EP (the London “Gherkin”) 20 November 2012 –http://www.justice.org.uk/events.php/46/life-and-law-online-defamation-freedom-of-expression-and-the-web (£50)
We are running a course leading to BCS’s Foundation Certificate in Information Security Management in January in London; ideal for data protection people wanting to understand best practice in information security management. See www.amberhawk.com for details.
Southampton City Council Enforcement Notice: http://www.ico.gov.uk/news/latest_news/2012/~/media/documents/library/Data_Protection/Notices/southampton_cc_enforcement_notice_20120723.ashx
Solicitors from Hell: Judgement reinforces the link between “lawful processing”, the First Data Protection Principle and human rights/other laws. http://amberhawk.typepad.com/amberhawk/2012/01/judgement-reinforces-the-link-between-lawful-processing-the-first-data-protection-principle-and-human-rightsother-law.html
Information Commissioner should enforce Article 8 privacy rights http://amberhawk.typepad.com/amberhawk/2010/04/information-commissioner-should-enforce-article-8-privacy-rights.html