Sarah Thorley rounds up recent developments that those dealing with information law in the public sector should be aware of.
Three months after 25 May, the Information Commissioner's Office (ICO) continues to publish refreshed guidance on implementing the nuances of the new Data Protection Act 2018 (DPA '18) and the General Data Protection Regulation (GDPR).
Meanwhile, decisions for cases under the old law are published and affect decision making. Despite a focus on the DPA, Freedom of Information Act (FOIA) requests continue to be made and require consideration by your information team.
CCTV in taxis
The ICO has written a blog about the increase in use of CCTV cameras inside licenced taxis. The ICO highlights a concern with systems that run all the time, including when the driver is using the vehicle privately.
The ICO recommends that authorities consider whether less privacy intrusive methods can be used to achieve the same aims. It reminds councils that Data Protection Impact Assessments (DPIAs) must be carried out prior to the roll-out of any intrusive surveillance system. If you conclude that the system is required, you should remember to implement the project taking account of the 'privacy by design' principles, for example, not collecting more personal data than required. We suggest you document each of these stages to ensure that you can justify your position.
If you find the ICO's DPIA tricky to follow, VWV has designed a template with our clients and their projects in mind.
Dr B - Mixed Data Case
This case concerned a subject access request made to the General Medical Council. A patient had requested a copy of the report about his doctor's (Dr B) treatment of him. The complicating factor was that the patient's personal data was intertwined with that of Dr B, who did not consent to the disclosure. This meant that the GMC had to carry out a balancing exercise to decide whether it was reasonable to disclose the report to the patient without Dr B's consent.
Decided under DPA '98, this case, misleadingly, is now of limited application to those working with doctors. This is because the DPA '18 states that it is reasonable to share information about a health professional, in a mixed data situation, when they have compiled or contributed to the care or treatment of the data subject. There is a similar provision regarding education and social care workers.
For other situations, the case helpfully concludes that in 'mixed data' cases, data controllers have a wide margin of discretion when carrying out the balancing exercise. There is only a presumption in favour of withholding the personal data if the interests of the requester and the other person are equally balanced when carrying out the balancing exercise. It was concluded that the High Court was incorrect to find that the starting point is a presumption in favour of withholding the information.
For a more thorough examination of the case, see our summary.
£200,000 fine for child sex abuse inquiry
The Independent Inquiry into Child Sexual abuse was fined £200,000 in July (under DPA '98) after sending a bulk email to participants of the inquiry that mistakenly put email addresses into the 'to' line of the email rather than using 'bcc'. The email addresses of the participants were revealed to others and people could be identified as potential victims of child sexual abuse.
This case highlights the importance of protocols for sending bulk emails. If your organisation does not already have rules in place for sending emails to multiple recipients, you should consider putting some in place. This could be done by using specialist software for mail-outs, only allowing certain individuals to send large mail-outs, or a buddy system for checking contents and security.
Deciding whether to apply FOIA or EIR?
A recent Tribunal case provides guidance when assessing whether to use FOIA or the Environmental Information Regulations (EIR) when requested information includes environmental information as well as other information. In Information Commissioner v Department for Transport & Hastings, Judge Wikeley provided a test, which (in summary) advises public bodies to:
- construe the definition of 'environmental information' as defined by regulation 2(1) of the EIR broadly
- consider the document containing the requested information as a whole, and look at whether it is broadly 'on' one or more matters set out in reg 2(1)
FOIA decisions - estimating time to find and vexatiousness
Another recent Tribunal decision considered Cambridge University's approach to calculating the s12 exemption time and cost limits exemption. The decision reinforces that:
- estimates for finding the information must be reasonable
- they do not need to be produced with an incredibly high level of mathematical rigour
- they should stand up to tests where assumptions are changed
Labelling a request 'vexatious' is always a difficult decision, and one which can cause an emotional reaction in the recipient. However, in some cases this is entirely appropriate, and the Tribunal recently considered one of those cases, where there had been a considerable history of engagement, culminating in over 50 FOIA requests.
In correspondence, the requestor had compared the authority to Nazis and made allegations of corruption against those working there, and continued to make requests after individual points had been dealt with. The Tribunal repeated the key elements from the Dransfield case, and reiterated that public authorities should:
- ensure a focus on deciding whether the request rather than the requestor is vexatious
- consider 'vexatiousness by drift' whereby the requestor makes a new information request upon receipt of the response to an earlier request
- a request can and should be judged in the context of any earlier relations between the requestor and the public authority but this must be framed within the review under s14,