Whilst preparing for “my day in Court”, I have realised that I also have had, for over a year, some further detail which explains why the European Commission thinks the UK’s Data Protection Act 1998 (DPA) is a deficient implementation of Directive 95/46/EC. I think I have the answer and this extra detail is the subject of this blog.
Next Monday (11th Feb), I have my Tribunal hearing as to whether I can obtain the full text of the letters sent by the European Commission to the UK Government which explains their position on the DPA. At Monday’s Tribunal the Ministry of Justice will be arguing that release of these letters to me will prejudice international relations.
Note that two decades of Conservative euro-phobia and the Prime Minister’s promise for an in-out referendum has not been prejudicial to international relations. By contrast, my little FOI request about data protection is causing all sorts of mayhem and mischief. Indeed, if I win, I suspect the resulting euro-havoc will trigger contingency plans to recall all European Ambassadors for “discussions on data protection”.
The letters I have requested describe why, according to the Commission, the DPA is a deficient implementation of Directive 95/46/EC. According to the Commission, UK Government has defectively implemented 15 Articles of a 34 Article Directive (i.e. Articles 2, 3, 6, 8, 10, 11, 12, 13, 16, 17, 22, 23, 25, 26 and 28). Summary details from these letters have been blogged before (see references).
However, what I have discovered that in one of its responses to me, the UK Government has grouped the Commission’s issues under headings, which I had previously ignored. Now in conjunction with other information, these headings reveal the detail of the alleged problems with the DPA.
Of course my analysis involves some deduction and supposition but I think I have “cracked it”. However, I don’t have further details on the problems with Articles 16, 17, 25 and 26 as these are not featured in the MoJ’s heading.
This means that the Commission’s letters assert that the UK has inappropriate provisions with respect to transfers outside the EEA (Articles 25 and 26) and the security of personal data (Articles 16 and 17). Something which I still think is of public interest.
Anyway, to the headings and the problems (see the download; it is easy to see why I ignored it!).
1. Definition of “Personal Data” and “Relevant Filing System” (Article 2)
I am pretty sure that this is a reference to the consequences of the Durant Court of Appeal judgment which narrowed the definition of personal data and Relevant Filing System. I suspect the Government are arguing that the ICO’s Guidance on personal data widens the scope of personal data and that this Guidance corrects the Durant judgment.
Sadly this is not correct. I remember a moment in the CSA v SIC case when Barrister for the ICO invited (then pleaded, begged, implored and almost prostrated himself on the floor of the Court in tears) the House of Lords to say some approving comments in its judgement about the ICO’s Guidance on the definition of personal data. This is because the ICO’s Guidance expanded the scope of personal data beyond the narrow confines of Durant.
Lord Hoffman stopped the barrister in his tracks and intervened to say that CSA v SIC was about “identity” whilst Durant was about “relate to”. He then added something on the lines: “we are not revisiting Durant; thereby lies a can of worms”.
Now as readers know that my comments about Durant are usually interspersed with a few anglo saxon nouns and adjectives, so I will leave my commentary to the information law barristers from the 5RB Chambers. They said of the Durant on their website:
“Sir Humphrey would have been delighted with this decision. The definition given by the Court of Appeal to personal data is so restrictive in relation to manual filing systems, as to constitute a serious obstacle to any citizen seeking to verify the accuracy of information held about him/her by the state. It is surprising that such a wide exclusion of "data" from the Act should be found consistent with the Data Protection Directive or Article 8”.
I agree. And that is why I am taking my FOI requests as far as I can.
2. Collection of personal data in job applications (Article 6 & 28)
We can now say that Commission’s issue with the Articles 6 and 28 is to do with the fact that some employers are obtaining health information from job applicants in circumstances disliked by the Commission. At a guess, it could be that the Commission sees the ICO’s Employment Code of Practice as giving too much leeway for when this practice can occur.
The involvement of Article 6 (dealing with what we know as Principles 1-5) makes me suspect that the Commission consider there is an issue concerning fairness, relevance and retention of health personal data in the context of the employment purpose; Article 28 is a reference to the fact that the ICO (at the time of the writing of the letters) did not have sufficient powers to protect the data subject.
Note that if the Commission thinks several Principles have been breached, then there is unlikely to be compliance with Articles 7 and 8 (expressed in DPA as Schedule 2 and 3 conditions) for the processing of health personal data for the employment purpose.
Since 2006 (i.e. after the letters were sent to the UK Government), the vetting of prospective employees against criminal records has extended enormously.
Given that the ICO has taken later action under the Third and Fifth Principles in the UK Courts, in an attempt to stop the use of minor, irrelevant, age-old offences in employment decisions, I would not be surprised if the criticism raised by the Commission in the context of health records also now applies to criminal convictions in the employment context.
3. Subject Information Provision (Articles 10 & 11)
I have always been puzzled about the Commissions gripe about fair processing issues but now the Government’s heading links these Articles to the exemption from the Subject Information Provisions (SIP). This exemption means that the data subject gets neither a fair processing notice nor subject access.
So I think this in turn means that some, or all, of the SIP exemptions in Schedule 7 (e.g. management planning, forecasting and negotiations) do not need, in the Commission’s view, to include an exemption from the fair processing requirements.
Whether the Commission are dissatisfied with the Subject Access exemption is unclear – fairness as specified in Articles 10 & 11 has nothing to do with data subject rights.
4. Rectification and Judicial Discretion (Article 12)
There are two possible areas linked to the right of access (Article 12):
- The Court’s discretion to grant or refuse applications made by data subjects to rectify, or erase inaccurate personal data (caused by the “may” in Section 14 of the DPA)
- The Court’s discretion to grant or refuse subject access in circumstances other than specified in Article 13 (caused by the use of “may” in S.7(9) of the DPA)
The Durant decision determined that the right of the Court to refuse the right of access was “untrammelled”; the Commission I suspect argue that refusal is limited to the necessary circumstances specified Article 13 (e.g. prevention of crime).
5. Confidential References (Article 13)
I think the Commission is claiming that the exemption relating to confidential references given by the data controller (i.e. in Schedule 7, paragraph 1) cannot be justified in terms of Article 13 (which specifies when Member States can legislate for exemptions).
As readers should know, back in 1998 the Department responsible for the then Data Protection Bill was the Home Office with Jack Straw as Home Secretary; additionally the UK had to comply with Gaskin v. UK, a decision from the European Court of Human Rights ((1989) 12 EHRR 36).
This combination of these factors inevitably meant that the Bill was amended in a minimalistic way to deliver Gaskin (this is via Sections 7(4) to 7(6) of the Data Protection Act). As Gaskin did not refer to the position of the giver of the confidential reference, the Home Office and Jack Straw provided an exemption for the sender of the reference.
What the Commission is saying is that the sender’s exemption and the UK’s minimalistic approach to Gaskin cannot be justified.
6. Damages (Article 23)
The Directive requires “The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage”. The Data Protection Act in Section 13 provides for a “reasonable care” defence.
Note that the DPA’s implementation means that even though the data controller is responsible for the “the event giving rise to the damage”, no damages are awarded in the UK Court because the data controller can show “reasonable cause”.
7. Information Commissioner’s Regulatory Powers (Article 28)
These problems are in the public domain, so I don’t have to suppose anything. In a press release (see references), the Commission identified “notably limitations of the Information Commissioner's Office's powers”. These are that:
- “it cannot monitor whether third countries' data protection is adequate. These assessments should come before international transfers of personal information”;
- “It can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks”.
The Press Report noted: “Furthermore, courts in the UK can refuse the right to have personal data rectified or erased. The right to compensation for moral damage when personal information is used inappropriately is also restricted”.
For instance, if an Information Notice has to be served to get information and if this is appealed to the Tribunal, then there will be about a six month delay before the legal process grinds out an outcome of the Appeal. Similarly with an Enforcement Notice, if appealed, means that processing can continue until the appeal is heard.
This half year delay until the Tribunal determines the outcome of an issue is not what can be described as “effective powers of intervention”.
8. ECJ References (Article 234)
This heading is a reference to status of infraction proceedings with respect to the European Court of Justice; it has nothing to do with my request.
However, nearly a nine years ago, when I was a young man starting out on my FOI journey of delay, refusal and rejection, I was told by the European Commission that legal proceedings were “on-going”. With the current Tribunal case, the refusal of the MoJ to provide the letters is based on the fact that legal proceedings are, yes you have guessed it, “on-going”.
So how long a time is “on-going”?
This is a question that is the legal equivalent of “how long is a piece of string?”.
My Tribunal will take place on Monday 11 February 2013 at 10:00 am, at Court 7, Field House, 15 Breams Buildings, London EC4A 1DZ if you want to come along.
We have a half day on the EU regulation on March 18th in London (£225+VAT): https://www.amberhawk.com/bookevents.asp
Two recent blogs relating to “Why the EU thinks the UK Act is deficient” which includes downloads are:
- Information published by the MoJ as a result of an FOI request: https://amberhawk.typepad.com/amberhawk/2011/05/privacy-new-government-revelations-amplify-concerns-surrounding-deficiencies-in-uks-data-protection-.html
- Information published by the European Commission as a result of an FOI request: https://amberhawk.typepad.com/amberhawk/2011/02/european-commission-explains-why-uks-data-protection-act-is-deficient.html
The UK Government headings that allow more detail to be deduced: Download BLOG_MoJ letter:
5RB’s commentary on Durant. https://www.5rb.com/case/Durant-v-Financial-Services-Authority
EU Press release on infringement proceedings: https://europa.eu/rapid/press-release_IP-10-811_en.htm