Gosh, crumbs and crikey! Talk about the “Road to Damascus”.
The Information Commissioner, in his Enforcement Notice issued to Southampton City Council in July, has made an express link between Article 8 of the Human Rights Convention and lawful processing under the First Data Protection Principle. Furthermore, Southampton has appealed the Notice; this means the Tribunal should hear arguments about Article 8 and adjudicate, in detail, on how Human Rights and Data Protection legislation interact.
I have often moaned (and moaned) about the fact that the Commissioner does not do “lawful” processing (see references). However, a stinging judgment in the “Solicitors from Hell” case (which mainly rebuked the Commissioner for his interpretation of the “domestic purpose” exemption), a key passage stated the following re the issue of lawful processing under the Data Protection Act (DPA):
... "The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully. The authoritative statements of the law are to be found not only in the cases cited in this judgment (including para 16 above), but also by the Court of Appeal in Campbell v MGN Ltd [2002] EWCA Civ 1373 [2003] QB 633 paras [72] to [138], and in other cases. As Patten J made clear in Murray, where the DPA applies, if processing is unlawful by reason of it breaching the general law of confidentiality (and thus any other general law) there will be a contravention of the First Data Protection Principle within the meaning of s.40(1), and a breach of s.4(4) of the DPA”…. (paragraph 25 of the judgment; my emphasis).
In paragraph 3 of the Enforcement Notice, the Commissioner describes the offending processing in the following terms:
“…the data controller’s policy (effective from 26 August 2009) that all licensed taxis and private hire vehicles have to be fitted with a CCTV system that features an audio recording facility that is in permanent operation. The policy results in the recording of all driver and passenger conversations (including mobile telephone calls) that take place in taxis and private hire vehicles licensed by Southampton City Council.
Accordingly in paragraph 9, the Enforcement Notice says:
“The Commissioner has further taken account of the effect of the incorporation in English law of the European Convention on Human Rights (“ECHR”), by virtue of the Human Rights Act 1998, in deciding whether or not to serve an Enforcement Notice. In particular, the Commissioner is mindful of the provisions of Article 8 of the ECHR in that drivers of taxi and private hire vehicles and their passengers have the right to respect for private and family life which has been unlawfully interfered with by the processing referred to in paragraph 3. A breach of Article 8 will also contravene the lawful processing requirement of the First Data Protection Principle.” (Hurray – my emphasis)
Another notable thing about this Enforcement Notice is that the Commissioner is “mindful of the CCTV, Employment and Privacy Notices Codes of Practice”. Although these Codes are not statutory Code of Practice (i.e. voluntary), it will be interesting to see what status the Tribunal gives them. If the Tribunal says, for instance, asserts that they are important documents describing data protection practice, then they should be treated far more seriously.
For instance, I think that if a data controller says on his web-site that he has implemented the CCTV Code of Practice and does no such thing, then this statement is misleading and is likely to result in unfair processing.
Finally, the Enforcement Notice says the data controller has no Schedule 2 grounds for the processing. This follows as if the processing is not "necessary" (as required by Schedule 2 grounds other than data subject consent), it will not be “necessary” in terms of the exemptions in Article 8(2) which Article 8(2) requires that any law that permits interference is “necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others” (My emphasis to the link, through that word "necessary" as both are used in A.8 of ECHR and Schedule 2 of the DPA).
This Tribunal is listed for the end of January; it could then be the start of a legal process that strengthens data subjects’ rights considerably. Because as soon as Article 8 is linked to the lawfulness aspects of three Data Protection Principles (First, Second, Seventh), and if the Information Commissioner takes up more relevant cases, then in my view, the protection of the individual has just increased dramatically.
And that without the need for any Regulation.
Advert
JUSTICE evening event at Hunton and Williams: “Defamation, privacy and freedom of expression online”, 30 St Mary Axe, London EC3A 8EP (the London “Gherkin”) 20 November 2012 –http://www.justice.org.uk/events.php/46/life-and-law-online-defamation-freedom-of-expression-and-the-web (£50)
We are running a course leading to BCS’s Foundation Certificate in Information Security Management in January in London; ideal for data protection people wanting to understand best practice in information security management. See www.amberhawk.com for details.
References
Southampton City Council Enforcement Notice: http://www.ico.gov.uk/news/latest_news/2012/~/media/documents/library/Data_Protection/Notices/southampton_cc_enforcement_notice_20120723.ashx
Solicitors from Hell: Judgement reinforces the link between “lawful processing”, the First Data Protection Principle and human rights/other laws. http://amberhawk.typepad.com/amberhawk/2012/01/judgement-reinforces-the-link-between-lawful-processing-the-first-data-protection-principle-and-human-rightsother-law.html
Information Commissioner should enforce Article 8 privacy rights http://amberhawk.typepad.com/amberhawk/2010/04/information-commissioner-should-enforce-article-8-privacy-rights.html
You say "if a data controller says on his web-site that he has implemented the CCTV Code of Practice and does no such thing, then this statement is misleading and is likely to result in unfair processing."
I totally agree with you - but this is not just a data processing issue. In the European Union the Directive on Unfair Commercial Practices 2005/29/EC “...ensures that consumers are not misled or exposed to aggressive marketing and that any claim made by traders in the EU is clear, accurate and substantiated, enabling consumers to make informed and meaningful choices.”
So if the website is selling any goods and services (rather than just being an information site) then it will be caught by these regulations.
The OFT-BERR GUIDANCE on the UK Regulations (May 2008) implementing the Unfair Commercial Practices Directive makes this very clear in a series of examples
see http://www.oft.gov.uk/shared_oft/business_leaflets/cpregs/oft1008.pdf
Alistair Kelman
Posted by: Alistair Kelman | 09/11/2012 at 10:38 AM
Your argument raises the question about whether electoral register and council tax data is being 'fairly' used in data matching to identify people as what the former boss of the NFI just told the ad hoc subcommittee were 'potentially suspicious cases' in respect of a 'single person discount' which has no existence in law and when the FPN itself leads one or directs one to legally misleading or false information. I was told by the ICO that so long as you had been told that your data was being 'used to prevent' fraud the detail of the notification was not something it could look at and that it WOULD NOT AND COULD NOT comment on any individual exercise if this meant commenting on the legal frameworks involved.
I have just submitted evidence to the ad hoc committee citing what the ICO said to me, here
http://www.publications.parliament.uk/pa/cm201213/cmselect/cmdraftlocaudit/writev/m01.htm
Regarding the code of data matching practice, the Audit Commission wrote this and gave it to the Secretary of State to lay before Parliament, yet so far from complying with it, it is carrying out data analytics which plainly do not come within it, such as the data matching exercise which identifies houses where a 17 year old is on the electoral register and the liable adult is receiving a 25% discount from the council tax bill. I note that Liberty's evidence on these uses of personal data is on the net, but appears not to have got to the committee on time, and that the ICO response appears, regrettably, to be predicated on the false belief that all 'matches' should be investigated, when in many cases the basis for the investigation is not as the AC often asserts evidence based but statistical
See also here
http://www.guardian.co.uk/money/2011/dec/16/council-tax-shock-single-person-discount
I have always thought that when councils are failing to administer council tax discount law in accordance with regulations 15 and 20 their uses of personal data to identify people who are NOT in law in the position of claiming to be literally sole occupants as people who ARE in law in the position of claiming just that cannot be 'in accordance with the law', and indeed, that appears to have been the thrust of the argument of the barrister who always said it wan't lawful to use the full electoral register for this purpose.
Posted by: Karen Heath | 10/11/2012 at 01:10 PM