Recent developments in information law: part 1

In the first in a two-part series on recent developments in Information Law, Eleanor Grey QC, Catherine Dobson and Jack Anderson look at issues such as the Attorney-General's power of veto, surveillance and a Supreme Court ruling on data protection.

The Attorney-General’s power of veto

The most notable case of the last few months has been R (Evans) v Attorney General [2013] EWHC 1960 (Admin), in which the Divisional Court upheld the use of the Attorney General’s veto under the Freedom of Information Act and as it applies to the Environmental Information Regulations 2004. The AG vetoed the disclosure of correspondence between HRH Prince of Wales and ministers in seven government departments; the legal challenge to his decision failed. Although the “executive override” represented by the veto has been described as a ‘constitutional aberration’, it could be argued that giving the government the final say in the release of documents under FOIA represented an essential element of the ‘package’ of reforms contained in the Act, and was one of the elements which enabled the Act to come into being. Further, it might also be argued that the power has been used with reasonable restraint, given that it has been used on only six occasions since the Act took effect.

Surveillance: Cameras and Consent

Surveillance has been a hot topic recently, whether as a result of the ‘Prism’ or ‘Tempora’ revelations about the US’s National Security Agency or the UK’s GCHQ’s activities, or because of recent developments regarding the use of CCTV cameras. As to CCTV, according to a newspaper report [1] of a recent survey by the British Security Industry Association, 5.9 million CCTV cameras are watching us, roughly one for every 10 citizens. This is not an ‘inevitable’ consequence of modern life but a peculiarly British development. Apparently, we have 20% of all CCTV in the world, more official eyes than China. Global retailers fit CCTV into their stores in the UK, while feeling no need to do so elsewhere. Whatever the purpose of a new building is, architects design integral CCTV and a surveillance budget is set aside. The ultra-cautious “you never know when...” approach takes over; councils make having CCTV a pre-condition of getting a liquor licence, whether dealing with a big city-centre nightclub or a quiet village pub. [2] All this sits side by side with a degree of incompetence. The BSIA notes that most private CCTV is a sham; cameras are rarely monitored and badly positioned, more likely to catch the heads of shoppers than their faces.

So, is it necessary or lawful to record children in youth clubs by (as was apparently the case in a parish in Gloucestershire), streaming the footage to the living room TV of two parish councillors? Practitioners have to date been able to look at the ICO’s CCTV Code of Practice [3] for guidance. But on 4 June 2013, the Home Secretary laid a “Surveillance Camera Code of Practice” [4] before Parliament. The Code came into force on 12 August 2013. It applies to ‘relevant authorities’ as defined by s33 of the Protection of Freedoms Act 2012; that is, mostly local authorities and policing authorities. [5] The Code applies to ‘overt’ surveillance; ‘covert’ surveillance is regulated by RIPA (the Regulation of Investigatory Powers Act 2000). The duty upon relevant authorities is to ‘have regard to’ the Code. Although this is not an absolute duty to follow the Code, a failure to apply its provisions would call for reasoned explanation, and would be taken into account in civil or criminal proceedings.

Many operators of cameras, including those in the private sector, will fall outside the definition of a ‘relevant authority.’ The Code states that “... the government fully recognises that many surveillance camera systems within public places are operated by the private sector, by the third sector or by other public authorities (for example, shops and shopping centres, sports grounds and other sports venues, schools, transport systems and hospitals). ... the government will keep the code under review and may in due course consider adding others to the list of relevant authorities.”

The Code draws upon the framework of Article 8, ECHR, to suggest that overt surveillance cameras may be used in a public place whenever that use is “in pursuit of a legitimate aim; necessary to meet a pressing need; proportionate; effective; and compliant with any relevant legal obligations”. Such surveillance should be “surveillance by consent”; but that consent must be informed and not assumed by the system operator. There are 12 guiding principles set out by the Code:-

“2.6 System operators should adopt the following 12 guiding principles:

1. Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.

2. The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.

3. There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.

4. There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.

5. Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.

6. No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once its purpose has been discharged.

7. Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.

8. Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.

9. Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.

10. There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.

11. When the use of a surveillance camera system is in pursuit of a legitimate aim and a pressing need, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.

12. Any information used to support a surveillance camera system which matches against a reference database for matching purposes should be accurate and kept up to date.

A recent example of the need to justify the use of CCTV can be found in the enforcement notice served on 15 July by the ICO, on the Chief Constable of Hertfordshire Constabulary. The ICO declared the CCTV “ring of steel” around Royston, Hertfordshire, unlawful. Seven static Automatic Number Plate Recognition cameras covered the entrances and exits to Royston, recording the number-plates of each car that drove in or out. The ICO found that “no satisfactory explanation” of the policy had been given to him. He held that there was a breach of the first data protection principle (fair and lawful processing) and also the third principle (excessive processing). He made explicit reference to Article 8 of the ECHR in reaching this conclusion, holding that there was an unlawful interference with the right to respect for a private and family life. The remedy referred back to the absence of a “satisfactory explanation” for the policy; the CC was to “refrain from processing” the data “except to the extent that that such processing can be justified to the satisfaction of the Commissioner … following the conduct of a Privacy Impact Assessment”. The assessment was to define the “pressing social need”, to assess the effectiveness of the measures in addressing it, the impact on the private lives of individuals and to determine whether the measures were “a proportionate interference”.

Practitioners will recognise the influence of the requirements of Article 8, ECHR, upon these required steps.

Data protection in the Supreme Court

In a rare development, the subject of data protection has been considered by the UK’s Supreme Court: see South Lanarkshire Council (Appellant) v The Scottish Information Commissioner (Respondent) [2013] UKSC 55, which considered the Scottish Freedom of Information Act 2002’s equivalent of s40(2), FOIA. The Supreme Court was considering a request for information about the number (but not the identity) of its employees in a particular post at points on the Council’s pay scales. The requestor’s purpose was to investigate whether the appellant’s pay gradings favoured work traditionally done by men. The request was refused on the basis that to release the information would contravene the DPA, but the Scottish Information Commissioner decided that the information should be released. The Council appealed.

The Supreme Court upheld the ICO’s decision. Baroness Hale considered the relationship between Article 8 of the ECHR and Condition 6 of Schedule 2 of the DPA (i.e. the requirement that “the processing [be] necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”).

She stated that:

“It is obvious that condition 6 requires three questions to be answered:

(i) Is the data controller or the third party or parties to whom the data are disclosed pursuing a legitimate interest or interests?

(ii) Is the processing involved necessary for the purposes of those interests?

(iii) Is the processing unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?”

Baroness Hale held that:

• The word “necessary” has to be considered in relation to the processing to which it relates. If the processing in question would involve an interference with the data subject’s right to respect for his private life, then the requirements of article 8(2) of the European Convention on Human Rights must be fulfilled. In a case involving Condition 6, the balancing exercise required by Article 8(2) is built into the condition itself; what matters is that the overall result is compliant with the Convention.
• In this case, the identity of the data subjects would not be identified from the disclosures sought; as a result it was “quite difficult to see why there is any interference with their right to respect for their private lives.”
• The meaning of the word “necessary” was clearly established in community law. It means “reasonably” rather than absolutely or strictly necessary, and forms a part of the proportionality test. A measure which interferes with a right protected by community law must be the least restrictive for the achievement of a legitimate aim. “Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less.”

Finally, the Supreme Court noted that the Information Commissioner was bound by the requirements of natural justice when conducting an investigation; this would require disclosure of any new material that was adverse to the interests of the participants, which he had received. It is noteworthy that in Scotland, the Scottish Information Commissioner is the sole finder of facts. There is a right of appeal to the Inner House of the Court of Session, but on a point of law only. That stands in contrast to the wider role of the FTT in England and Wales, which can re-hear cases. So the need for the Commissioner to act fairly was of even greater importance in Scotland.

Eleanor Grey QC, Catherine Dobson and Jack Anderson are barristers at 39 Essex Street.